[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openam-commit
Subject: [CommitOpenAM] [14913] trunk/docs/server/src/main/docbkx/admin-guide: AME-7381 R-799 Edit the
From: noreply () forgerock ! org
Date: 2015-07-31 17:16:10
Message-ID: 20150731171610.9564040882 () sources ! internal ! forgerock ! com
[Download RAW message or body]
[Attachment #2 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[14913] trunk/docs/server/src/main/docbkx/admin-guide: AME-7381 R-799 Edit the \
OpenAM Admin Guide.</title> </head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: \
verdana,arial,helvetica,sans-serif; font-size: 10pt; } #msg dl a { font-weight: \
bold} #msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: \
bold; } #msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: \
6px; } #logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em \
0; } #logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg \
h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; } \
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; \
} #logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: \
-1.5em; padding-left: 1.5em; } #logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em \
1em 0 1em; background: white;} #logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid \
#fa0; border-bottom: 1px solid #fa0; background: #fff; } #logmsg table th { \
text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted \
#fa0; } #logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: \
0.2em 0.5em; } #logmsg table thead th { text-align: center; border-bottom: 1px solid \
#fa0; } #logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: \
6px; } #patch { width: 100%; }
#patch h4 {font-family: \
verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, \
#patch .copfile {border:1px solid #ccc;margin:10px 0;} #patch ins \
{background:#dfd;text-decoration:none;display:block;padding:0 10px;} #patch del \
{background:#fdd;text-decoration:none;display:block;padding:0 10px;} #patch .lines, \
.info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a \
href="http://sources.forgerock.org/changelog/openam/?cs=14913">14913</a></dd> \
<dt>Author</dt> <dd>austingene</dd> <dt>Date</dt> <dd>2015-07-31 18:16:10 +0100 (Fri, \
31 Jul 2015)</dd> </dl>
<h3>Log Message</h3>
<pre>AME-7381 R-799 Edit the OpenAM Admin Guide. Committing individual files.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechapauditloggingxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-audit-logging.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechapauthzpolicyxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-authz-policy.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechapcertskeystoresxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-certs-keystores.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechapchangehostsxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-change-hosts.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechapfederationxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-federation.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechapmonitoringxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-monitoring.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechapoauth2xml">trunk/docs/server/src/main/docbkx/admin-guide/chap-oauth2.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechapopenidconnectxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-openid-connect.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechappwdresetxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-pwd-reset.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechaprealmsxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-realms.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechaprestxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-rest.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechapsaml1xml">trunk/docs/server/src/main/docbkx/admin-guide/chap-saml-1.xml</a></li>
<li><a href="#trunkdocsserversrcmaindocbkxadminguidechapsecuringxml">trunk/docs/server/src/main/docbkx/admin-guide/chap-securing.xml</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkdocsserversrcmaindocbkxadminguidechapauditloggingxml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-audit-logging.xml (14912 => \
14913)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-audit-logging.xml 2015-07-31 \
16:33:31 UTC (rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-audit-logging.xml 2015-07-31 \
17:16:10 UTC (rev 14913) </span><span class="lines">@@ -126,7 +126,7 @@
</span><span class="cx"> <procedure \
xml:id="enable-syslog-audit-logging-console"> </span><span class="cx"> \
<title>Enabling Syslog Audit Logging by Using the OpenAM Console</title> \
</span><span class="cx"> <step> </span><del>- <para>Login to the \
OpenAM console as OpenAM administrator.</para> </del><ins>+ \
<para>Log in to the OpenAM console as OpenAM administrator.</para> \
</ins><span class="cx"> </step> </span><span class="cx"> <step>
</span><span class="cx"> <para>Browse to Configuration &gt; System \
&gt; Logging.</para> </span></span></pre></div>
<a id="trunkdocsserversrcmaindocbkxadminguidechapauthzpolicyxml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-authz-policy.xml (14912 => \
14913)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-authz-policy.xml 2015-07-31 \
16:33:31 UTC (rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-authz-policy.xml 2015-07-31 \
17:16:10 UTC (rev 14913) </span><span class="lines">@@ -430,7 +430,7 @@
</span><span class="cx"> <xinclude:include \
href="sec-configure-resource-types-with-console.xml"> </span><span \
class="cx"> <xinclude:fallback> </span><span class="cx"> <para>
</span><del>- Configuring Resource Types with the OpenAM Console missing:
</del><ins>+ Configuring Resource Types with the OpenAM console missing:
</ins><span class="cx"> sec-configure-resource-types-with-console.xml
</span><span class="cx"> </para>
</span><span class="cx"> </xinclude:fallback>
</span><span class="lines">@@ -439,7 +439,7 @@
</span><span class="cx"> <xinclude:include \
href="sec-configure-apps-with-console.xml"> </span><span class="cx"> \
<xinclude:fallback> </span><span class="cx"> <para>
</span><del>- Configuring Applications with the OpenAM Console missing:
</del><ins>+ Configuring Applications with the OpenAM console missing:
</ins><span class="cx"> sec-configure-apps-with-console.xml
</span><span class="cx"> </para>
</span><span class="cx"> </xinclude:fallback>
</span><span class="lines">@@ -448,7 +448,7 @@
</span><span class="cx"> <xinclude:include \
href="sec-configure-policies-with-console.xml"> </span><span class="cx"> \
<xinclude:fallback> </span><span class="cx"> <para>
</span><del>- Configuring Policies with the OpenAM Console missing:
</del><ins>+ Configuring Policies with the OpenAM console missing:
</ins><span class="cx"> sec-configure-apps-with-console.xml
</span><span class="cx"> </para>
</span><span class="cx"> </xinclude:fallback>
</span></span></pre></div>
<a id="trunkdocsserversrcmaindocbkxadminguidechapcertskeystoresxml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-certs-keystores.xml (14912 => \
14913)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-certs-keystores.xml 2015-07-31 \
16:33:31 UTC (rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-certs-keystores.xml 2015-07-31 \
17:16:10 UTC (rev 14913) </span><span class="lines">@@ -337,7 +337,7 @@
</span><span class="cx"> -storetype JKS \
</span><span class="cx"> -keystore keystore.jks</userinput>
</span><span class="cx"> <computeroutput>Enter keystore password:
</span><del>-Re-enter new password:
</del><ins>+Reenter new password:
</ins><span class="cx"> What is your first and last name?
</span><span class="cx"> [Unknown]:</computeroutput> \
<userinput>openam.example.com</userinput> </span><span class="cx"> \
<computeroutput>What is the name of your organizational unit? </span><span \
class="lines">@@ -356,7 +356,7 @@ </span><span class="cx">
</span><span class="cx"> <computeroutput>Enter key password for \
&lt;newkey&gt; </span><span class="cx"> (RETURN if same as keystore \
password): </span><del>-Re-enter new password:</computeroutput>
</del><ins>+Reenter new password:</computeroutput>
</ins><span class="cx"> </screen>
</span><span class="cx">
</span><span class="cx"> <para>Self-signed keys are not automatically \
recognized by other entities. </span><span class="lines">@@ -419,7 +419,7 @@
</span><span class="cx"> </step>
</span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Login to OpenAM console as administrator, and then set \
the new signing </del><ins>+ <para>Log in to OpenAM console as administrator, \
and then set the new signing </ins><span class="cx"> key in one of two \
ways:</para> </span><span class="cx"> <substeps>
</span><span class="cx"> <step>
</span></span></pre></div>
<a id="trunkdocsserversrcmaindocbkxadminguidechapchangehostsxml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-change-hosts.xml (14912 => \
14913)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-change-hosts.xml 2015-07-31 \
16:33:31 UTC (rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-change-hosts.xml 2015-07-31 \
17:16:10 UTC (rev 14913) </span><span class="lines">@@ -81,7 +81,7 @@
</span><span class="cx"> <title>To Add the New Host Name As an \
Alias</title> </span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Login to OpenAM console as administrator,
</del><ins>+ <para>Log in to OpenAM console as administrator,
</ins><span class="cx"> <literal>amadmin</literal>.</para>
</span><span class="cx"> </step>
</span><span class="cx"> <step>
</span><span class="lines">@@ -245,7 +245,7 @@
</span><span class="cx"> <title>To Remove the Old Host Name As an \
Alias</title> </span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Login to OpenAM console as administrator,
</del><ins>+ <para>Log in to OpenAM console as administrator,
</ins><span class="cx"> <literal>amadmin</literal>.</para>
</span><span class="cx"> </step>
</span><span class="cx"> <step>
</span></span></pre></div>
<a id="trunkdocsserversrcmaindocbkxadminguidechapfederationxml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-federation.xml (14912 => \
14913)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-federation.xml 2015-07-31 16:33:31 \
UTC (rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-federation.xml 2015-07-31 \
17:16:10 UTC (rev 14913) </span><span class="lines">@@ -957,7 +957,7 @@
</span><span class="cx"> additional attributes in user profiles.</para>
</span><span class="cx">
</span><span class="cx"> <para>To specify the list of profile attributes \
for an LDAP identity </span><del>- repository, login to OpenAM Console as \
administrator and browse to </del><ins>+ repository, login to OpenAM console as \
administrator and browse to </ins><span class="cx"> Access Control > \
<replaceable>Realm Name</replaceable> > Data Stores, and </span><span \
class="cx"> click the data store name to open the configuration page. Scroll \
down to </span><span class="cx"> User Configuration, and edit the LDAP User \
Attributes list, and then </span><span class="lines">@@ -1741,19 +1741,19 @@
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>
</span><del>- Delete the provider configuration in OpenAM Console.
</del><ins>+ Delete the provider configuration in OpenAM console.
</ins><span class="cx"> </para>
</span><span class="cx"> </listitem>
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>
</span><del>- Import the edited provider configuration in OpenAM Console.
</del><ins>+ Import the edited provider configuration in OpenAM console.
</ins><span class="cx"> </para>
</span><span class="cx"> </listitem>
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>
</span><del>- Enable SAML v2.0 failover in OpenAM Console.
</del><ins>+ Enable SAML v2.0 failover in OpenAM console.
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="lines">@@ -3252,7 +3252,7 @@
</span><span class="cx"> again on the hosted service provider(s):</para>
</span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Login to the OpenAM console as \
administrator.</para> </del><ins>+ <para>Log in to the OpenAM console \
as administrator.</para> </ins><span class="cx"> </step>
</span><span class="cx"> <step>
</span><span class="cx"> <para>Browse to Federation &gt; \
<replaceable </span></span></pre></div>
<a id="trunkdocsserversrcmaindocbkxadminguidechapmonitoringxml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-monitoring.xml (14912 => \
14913)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-monitoring.xml 2015-07-31 16:33:31 \
UTC (rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-monitoring.xml 2015-07-31 \
17:16:10 UTC (rev 14913) </span><span class="lines">@@ -323,7 +323,7 @@
</span><span class="cx"> You can monitor policy evaluation performance over SNMP.
</span><span class="cx"> OpenAM records statistics for up to
</span><span class="cx"> a number of recent policy evaluation requests.
</span><del>- (You can configure the number in OpenAM Console
</del><ins>+ (You can configure the number in OpenAM console
</ins><span class="cx"> under Configuration > System > Monitoring.
</span><span class="cx"> For details, see the system configuration reference \
section, </span><span class="cx"> <link
</span><span class="lines">@@ -633,7 +633,7 @@
</span><span class="cx"> You can monitor stateful session statistics over SNMP.
</span><span class="cx"> OpenAM records statistics for up to
</span><span class="cx"> a configurable number of recent sessions.
</span><del>- (You can configure the number in OpenAM Console
</del><ins>+ (You can configure the number in OpenAM console
</ins><span class="cx"> under Configuration > System > Monitoring.
</span><span class="cx"> For details, see the system configuration reference \
section, </span><span class="cx"> <link
</span><span class="lines">@@ -1063,7 +1063,7 @@
</span><span class="cx"> <para>Perform these steps to capture debug \
messages for a specific </span><span class="cx"> service:</para>
</span><span class="cx"> <listitem>
</span><del>- <para>Login to OpenAM console as administrator,
</del><ins>+ <para>Log in to OpenAM console as administrator,
</ins><span class="cx"> <literal>amadmin</literal>.</para>
</span><span class="cx"> </listitem>
</span><span class="cx"> <listitem>
</span></span></pre></div>
<a id="trunkdocsserversrcmaindocbkxadminguidechapoauth2xml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-oauth2.xml (14912 => 14913)</h4> \
<pre class="diff"><span> <span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-oauth2.xml 2015-07-31 16:33:31 UTC \
(rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-oauth2.xml 2015-07-31 17:16:10 \
UTC (rev 14913) </span><span class="lines">@@ -69,14 +69,17 @@
</span><span class="cx"> </footnote> The following sequence diagram indicates \
the primary roles </span><span class="cx"> OpenAM can play in the OAuth 2.0 \
protocol flow.</para> </span><span class="cx">
</span><del>- <mediaobject xml:id="figure-oauth2-flow">
- <alt>OpenAM in OAuth 2.0 protocol flow</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-flow.png" \
format="PNG"/>
- </imageobject>
- <textobject><para>OpenAM can function as the authorization server and \
also
- as the client.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-flow">
+ <title>OpenAM in OAuth 2.0 Protocol Flow</title>
+ <mediaobject>
+ <alt>OpenAM in OAuth 2.0 protocol flow</alt>
+ <imageobject>
+ <imagedata fileref="images/oauth2-flow.png" \
format="PNG"/> + </imageobject>
+ <textobject><para>OpenAM can function as the authorization server \
and also + as the client.</para></textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <section \
xml:id="openam-oauth2-authz-server"> </span><span class="cx"> \
<title>OpenAM as OAuth 2.0 Authorization Server</title> </span><span \
class="lines">@@ -93,7 +96,7 @@ </span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> When using OpenAM as authorization server,
</span><del>- you can register clients in OpenAM Console alongside policy agent \
profiles </del><ins>+ you can register clients in OpenAM console alongside policy \
agent profiles </ins><span class="cx"> under the OAuth 2.0 Client tab.
</span><span class="cx">
</span><span class="cx"> OpenAM supports both confidential and public clients.
</span><span class="lines">@@ -120,14 +123,18 @@
</span><span class="cx"> outlines a successful process from initial client \
redirection through to the </span><span class="cx"> client accessing the \
protected resource.</para> </span><span class="cx">
</span><del>- <mediaobject xml:id="figure-oauth2-authz">
- <alt>OpenAM in OAuth 2.0 Authorization Code Grant process</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-authz.png" \
format="PNG"/>
- </imageobject>
- <textobject><para>OpenAM supports the authorization code
- grant.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-authz">
+ <title>OpenAM in OAuth 2.0 Authorization Code Grant Process</title>
+ <mediaobject>
+ <alt>OpenAM in OAuth 2.0 Authorization Code Grant process</alt>
+ <imageobject>
+ <imagedata fileref="images/oauth2-authz.png" \
format="PNG"/> + </imageobject>
+ <textobject><para>OpenAM supports the authorization code
+ grant.</para></textobject>
+ </mediaobject>
+ </figure>
+
</ins><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="oauth2-implicit">
</span><span class="lines">@@ -144,13 +151,17 @@
</span><span class="cx"> access token directly in the fragment portion of the \
redirect URI. The </span><span class="cx"> following sequence diagram outlines \
the successful process.</para> </span><span class="cx">
</span><del>- <mediaobject xml:id="figure-oauth2-implicit">
- <alt>OpenAM in OAuth 2.0 Implicit Grant process</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-implicit.png" \
format="PNG"/>
- </imageobject>
- <textobject><para>OpenAM supports the implicit \
grant.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-implicit">
+ <title>OpenAM in OAuth 2.0 Implicit Grant Process</title>
+ <mediaobject>
+ <alt>OpenAM in OAuth 2.0 Implicit Grant process</alt>
+ <imageobject>
+ <imagedata fileref="images/oauth2-implicit.png" \
format="PNG"/> + </imageobject>
+ <textobject><para>OpenAM supports the implicit \
grant.</para></textobject> + </mediaobject>
+ </figure>
+
</ins><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="oauth2-ropc">
</span><span class="lines">@@ -165,14 +176,17 @@
</span><span class="cx"> to continue accessing resources. The following sequence \
diagram shows the </span><span class="cx"> successful process.</para>
</span><span class="cx">
</span><del>- <mediaobject xml:id="figure-oauth2-ropc">
- <alt>OpenAM in OAuth 2.0 Resource Owner Password Credentials Grant \
process</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-ropc.png" \
format="PNG"/>
- </imageobject>
- <textobject><para>OpenAM supports the resource owner password \
credentials
- grant.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-ropc">
+ <title>OpenAM in OAuth 2.0 Resource Owner Password Credentials Grant \
Process</title> + <mediaobject>
+ <alt>OpenAM in OAuth 2.0 Resource Owner Password Credentials Grant \
process</alt> + <imageobject>
+ <imagedata fileref="images/oauth2-ropc.png" \
format="PNG"/> + </imageobject>
+ <textobject><para>OpenAM supports the resource owner password \
credentials + grant.</para></textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="oauth2-client-cred">
</span><span class="lines">@@ -188,14 +202,17 @@
</span><span class="cx"> resource owner, for example. The following sequence \
diagram shows the </span><span class="cx"> successful process.</para>
</span><span class="cx">
</span><del>- <mediaobject xml:id="figure-oauth2-client-cred">
- <alt>OpenAM in OAuth 2.0 Client Credentials Grant process</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-client-cred.png" \
format="PNG"/>
- </imageobject>
- <textobject><para>OpenAM supports the client credentials
- grant.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-client-cred">
+ <title>OpenAM in OAuth 2.0 Client Credentials Grant Process</title>
+ <mediaobject>
+ <alt>OpenAM in OAuth 2.0 Client Credentials Grant process</alt>
+ <imageobject>
+ <imagedata fileref="images/oauth2-client-cred.png" \
format="PNG"/> + </imageobject>
+ <textobject><para>OpenAM supports the client credentials
+ grant.</para></textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="oauth2-jwt-bearer">
</span><span class="lines">@@ -233,21 +250,24 @@
</span><span class="cx"> and <literal>client_assertion</literal> to \
the JWT string. </span><span class="cx"> </para>
</span><span class="cx">
</span><del>- <mediaobject \
xml:id="figure-oauth2-jwt-bearer-authn">
- <alt>JWT Bearer Client Authentication</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-jwt-bearer-authn.png" \
format="PNG"/>
- </imageobject>
- <textobject>
- <para>
- OpenAM supports uses of a JWT for client authentication.
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-jwt-bearer-authn">
+ <title>JWT Bearer Client Authentication</title>
+ <mediaobject>
+ <alt>JWT Bearer Client Authentication</alt>
+ <imageobject>
+ <imagedata fileref="images/oauth2-jwt-bearer-authn.png" \
format="PNG"/> + </imageobject>
+ <textobject>
+ <para>
+ OpenAM supports uses of a JWT for client authentication.
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> The HTTP POST to OpenAM looks something like the \
following, </span><del>- where the assertion value is the JWT.
</del><ins>+ where the assertion value is the JWT:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <programlisting language="http">
</span><span class="lines">@@ -270,24 +290,27 @@
</span><span class="cx"> and <literal>assertion</literal> to the JWT \
string. </span><span class="cx"> </para>
</span><span class="cx">
</span><del>- <mediaobject \
xml:id="figure-oauth2-jwt-bearer-authz">
- <alt>JWT Bearer as Authorization Grant</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-jwt-bearer-authz.png" \
format="PNG"/>
- </imageobject>
- <textobject>
- <para>
- OpenAM supports uses of a JWT for client authentication.
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-jwt-bearer-authz">
+ <title>JWT Bearer as Authorization Grant</title>
+ <mediaobject>
+ <alt>JWT Bearer as Authorization Grant</alt>
+ <imageobject>
+ <imagedata fileref="images/oauth2-jwt-bearer-authz.png" \
format="PNG"/> + </imageobject>
+ <textobject>
+ <para>
+ OpenAM supports uses of a JWT for client authentication.
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> The HTTP POST to OpenAM looks something like the \
following, </span><span class="cx"> where the assertion value is the JWT.
</span><span class="cx"> This listing does not show the client credentials,
</span><span class="cx"> which must be provided, for example
</span><del>- as form parameters, a JWT token, or an authorization header.
</del><ins>+ as form parameters, a JWT token, or an authorization header:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <programlisting language="http">
</span><span class="lines">@@ -310,14 +333,14 @@
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>
</span><del>- "iss" (issuer) whose value identifies the JWT issuer
</del><ins>+ "iss" (issuer) whose value identifies the JWT issuer.
</ins><span class="cx"> </para>
</span><span class="cx"> </listitem>
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>
</span><span class="cx"> "sub" (subject) whose value identifies the \
principal </span><del>- who is the subject of the JWT
</del><ins>+ who is the subject of the JWT.
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="lines">@@ -329,7 +352,7 @@
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>
</span><span class="cx"> "aud" (audience) whose value identifies the \
authorization server </span><del>- that is the intended audience of the JWT
</del><ins>+ that is the intended audience of the JWT.
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="lines">@@ -340,7 +363,7 @@
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>
</span><del>- "exp" (expiration) whose value specifies the time of \
expiration </del><ins>+ "exp" (expiration) whose value specifies the \
time of expiration. </ins><span class="cx"> </para>
</span><span class="cx"> </listitem>
</span><span class="cx"> </itemizedlist>
</span><span class="lines">@@ -381,7 +404,7 @@
</span><span class="cx">
</span><span class="cx"> <para>In both profiles, the issuer must sign the \
assertion. The client </span><span class="cx"> communicates the assertion over a \
channel protected with transport </span><del>- layer security, by performing an \
HTTP POST to the OpenAM's access token </del><ins>+ layer security by performing \
an HTTP POST to the OpenAM's access token </ins><span class="cx"> endpoint. \
OpenAM as OAuth 2.0 authorization server uses the issuer ID to </span><span \
class="cx"> validate the signature on the assertion.</para> </span><span \
class="cx"> </span><span class="lines">@@ -393,14 +416,17 @@
</span><span class="cx"> the identity provider who issues the assertion, they are \
granting the client </span><span class="cx"> permission to access the protected \
resources.</para> </span><span class="cx">
</span><del>- <mediaobject xml:id="figure-oauth2-saml2-bearer">
- <alt>SAML v2.0 Bearer Assertion Authorization Grant</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-saml2-bearer.png" \
format="PNG"/>
- </imageobject>
- <textobject><para>OpenAM supports SAML v2.0 Bearer Assertion \
Profiles, for
- example to use an assertion to request an access \
token.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-saml2-bearer">
+ <title>SAML v2.0 Bearer Assertion Authorization Grant</title>
+ <mediaobject>
+ <alt>SAML v2.0 Bearer Assertion Authorization Grant</alt>
+ <imageobject>
+ <imagedata fileref="images/oauth2-saml2-bearer.png" \
format="PNG"/> + </imageobject>
+ <textobject><para>OpenAM supports SAML v2.0 Bearer Assertion \
Profiles, for + example to use an assertion to request an access \
token.</para></textobject> + </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>The HTTP POST to OpenAM to request an access \
token looks something </span><span class="cx"> like this:</para>
</span><span class="lines">@@ -463,7 +489,7 @@
</span><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="openam-oauth2-client">
</span><del>- <title>OpenAM as OAuth 2.0 Client &amp; Resource Server \
Solution</title> </del><ins>+ <title>OpenAM as OAuth 2.0 Client and \
Resource Server Solution</title> </ins><span class="cx">
</span><span class="cx"> <indexterm>
</span><span class="cx"> <primary>OAuth 2.0</primary>
</span><span class="lines">@@ -490,16 +516,19 @@
</span><span class="cx"> access to protected resources in the scenario where \
OpenAM functions as both </span><span class="cx"> authorization server and client \
for example.</para> </span><span class="cx">
</span><del>- <mediaobject xml:id="figure-oauth2-openam-client">
- <alt>OpenAM as OAuth 2.0 client and authorization server</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-openam-client.png" \
format="PNG"/>
- </imageobject>
- <textobject><para>OpenAM as client works as an authentication module \
where
- authentication and authorization is handled by the authorization server,
- and on success an SSO session is created, so that OpenAM access management
- can happen as it normally does.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-openam-client">
+ <title>OpenAM as OAuth 2.0 Client and Authorization Server</title>
+ <mediaobject>
+ <alt>OpenAM as OAuth 2.0 client and authorization server</alt>
+ <imageobject>
+ <imagedata fileref="images/oauth2-openam-client.png" \
format="PNG"/> + </imageobject>
+ <textobject><para>OpenAM as client works as an authentication \
module where + authentication and authorization is handled by the authorization \
server, + and on success an SSO session is created, so that OpenAM access \
management + can happen as it normally does.</para></textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>As the OAuth 2.0 client functionality is \
implemented as an OpenAM </span><span class="cx"> authentication module, you do \
not need to deploy your own resource server </span><span class="lines">@@ -518,11 \
+547,11 @@ </span><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="oauth2-byo-client">
</span><del>- <title>Using Your Own Client &amp; Resource \
Server</title> </del><ins>+ <title>Using Your Own Client and Resource \
Server</title> </ins><span class="cx">
</span><span class="cx"> <indexterm>
</span><span class="cx"> <primary>OAuth 2.0</primary>
</span><del>- <secondary>using own client &amp; resource \
server</secondary> </del><ins>+ <secondary>using own client and \
resource server</secondary> </ins><span class="cx"> </indexterm>
</span><span class="cx">
</span><span class="cx"> <para>OpenAM returns bearer tokens as described in \
RFC 6750, <link </span><span class="lines">@@ -531,7 +560,7 @@
</span><span class="cx"> Usage</citetitle></link>. Notice in the \
following example JSON response to </span><span class="cx"> an access token \
request that OpenAM returns a refresh token with the access </span><span class="cx"> \
token. The client can use the refresh token to get a new access token as \
</span><del>- described in RFC 6749.</para> </del><ins>+ described in RFC \
6749:</para> </ins><span class="cx">
</span><span class="cx"> <programlisting language="javascript">{
</span><span class="cx"> "expires_in": 599,
</span><span class="lines">@@ -547,7 +576,7 @@
</span><span class="cx"> access token.</para>
</span><span class="cx">
</span><span class="cx"> <para>The default OpenAM implementation of OAuth \
2.0 scopes assumes that the </span><del>- space-separated (%20 when URL encoded) \
list of scopes in an access token </del><ins>+ space-separated (%20 when \
URL-encoded) list of scopes in an access token </ins><span class="cx"> request \
correspond to names of attributes in the resource owner's </span><span class="cx"> \
profile.</para> </span><span class="cx">
</span><span class="lines">@@ -561,7 +590,7 @@
</span><span class="cx"> <literal>mail</literal> and \
<literal>cn</literal> scopes with the email </span><span class="cx"> \
address (<literal>demo@example.com</literal>) and common name \
</span><span class="cx"> (<literal>demo</literal>) from the demo \
user's profile. The result is </span><del>- something like the following token \
information response.</para> </del><ins>+ something like the following token \
information response:</para> </ins><span class="cx">
</span><span class="cx"> <programlisting language="javascript">{
</span><span class="cx"> "mail": "demo@example.com",
</span><span class="lines">@@ -603,14 +632,14 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> Follow the steps in this procedure
</span><del>- to set up the service with the Common Tasks wizard.
</del><ins>+ to set up the service with the Common Tasks wizard:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> When you create the service with the Common Tasks \
wizard, </span><del>- the wizard also creates a standard policy in the top level \
realm (/) </del><ins>+ the wizard also creates a standard policy in the top-level \
realm (/) </ins><span class="cx"> to protect the authorization endpoint.
</span><del>- In this configuration OpenAM serves the resources to protect,
</del><ins>+ In this configuration, OpenAM serves the resources to protect,
</ins><span class="cx"> and no separate application is involved.
</span><span class="cx"> OpenAM therefore acts both as the policy decision point
</span><span class="cx"> and also as the policy enforcement point
</span><span class="lines">@@ -619,8 +648,8 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> There is no requirement to use the wizard
</span><del>- or to create the policy in the top level realm.
- However if you create the OAuth 2.0 authorization service without the wizard,
</del><ins>+ or to create the policy in the top-level realm.
+ However, if you create the OAuth 2.0 authorization service without the wizard,
</ins><span class="cx"> then you must set up the policy independently as well.
</span><span class="cx"> The policy must appear in an application of type
</span><span class="cx"> <literal>iPlanetAMWebAgentService</literal>,
</span><span class="lines">@@ -633,13 +662,13 @@
</span><span class="cx"> \
xlink:href="dev-guide#rest-api-oauth2-client-endpoints" </span><span \
class="cx"> xlink:role="http://docbook.org/xlink/role/olink" \
</span><span class="cx"> xlink:show="new" </span><del>- \
><citetitle>OAuth 2.0 Client &amp; Resource Server \
Endpoints</citetitle></link>. </del><ins>+ ><citetitle>OAuth \
2.0 Client and Resource Server Endpoints</citetitle></link>. </ins><span \
class="cx"> For details on creating policies, see the chapter on </span><span \
class="cx"> <link </span><span class="cx"> \
xlink:href="admin-guide#chap-authz-policy" </span><span class="cx"> \
xlink:role="http://docbook.org/xlink/role/olink" </span><span class="cx"> \
xlink:show="new" </span><del>- ><citetitle>Defining \
Authorization Policies</citetitle></link>. </del><ins>+ \
><citetitle>Defining Authorization Policies</citetitle></link>: \
</ins><span class="cx"> </para> </span><span class="cx">
</span><span class="cx"> <step>
</span><span class="lines">@@ -684,14 +713,14 @@
</span><span class="cx"> <para>Click Create to complete the \
process.</para> </span><span class="cx">
</span><span class="cx"> <para>
</span><del>- To access the authorization server configuration in OpenAM Console,
</del><ins>+ To access the authorization server configuration in OpenAM console,
</ins><span class="cx"> browse to Access Control > <replaceable>Realm \
Name</replaceable> > Services, </span><span class="cx"> and then click \
OAuth2 Provider. </span><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> As mentioned at the outset of this procedure,
</span><del>- the wizard sets up a policy in the top level realm
</del><ins>+ the wizard sets up a policy in the top-level realm
</ins><span class="cx"> to protect the authorization endpoint.
</span><span class="cx"> The policy appears in
</span><span class="cx"> the \
<literal>iPlanetAMWebAgentService</literal> application. </span><span \
class="lines">@@ -721,7 +750,7 @@ </span><span class="cx"> so OAuth 2.0 resource \
owners can log in using their email address, </span><span class="cx"> stored on \
the LDAP profile attribute, <literal>mail</literal>. </span><span \
class="cx"> Adapt the names if you use a different LDAP profile attribute, \
</span><del>- such as <literal>cn</literal>. </del><ins>+ such as \
<literal>cn</literal>: </ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <substeps>
</span><span class="lines">@@ -752,13 +781,13 @@
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Create an LDAP authentication module to use with the external \
directory. </del><ins>+ Create an LDAP authentication module to use with the \
external directory: </ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <substeps>
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- In OpenAM Console under Access Control > \
<replaceable>Realm </del><ins>+ In OpenAM console under Access Control \
> <replaceable>Realm </ins><span class="cx"> \
Name</replaceable> > Authentication > Module Instances, </span><span \
class="cx"> create a module to access the LDAP identity repository, \
</span><span class="cx"> such as \
<literal>LDAPAuthUsingMail</literal>. </span><span class="lines">@@ \
-790,7 +819,7 @@ </span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Create an authentication chain to include the module
</del><ins>+ Create an authentication chain to include the module,
</ins><span class="cx"> such as <literal>authUsingMail</literal>.
</span><span class="cx"> </para>
</span><span class="cx">
</span><span class="lines">@@ -900,7 +929,7 @@
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Add a multi-valued, string syntax profile attribute to your \
identity </del><ins>+ Add a multi-valued string syntax profile attribute to your \
identity </ins><span class="cx"> repository. OpenAM stores resource owners' \
consent to authorize client </span><span class="cx"> access in this profile \
attribute. On subsequent requests from the same </span><span class="cx"> client \
for the same scopes, the resource owner no longer sees the </span><span \
class="lines">@@ -958,7 +987,7 @@ </span><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="register-oauth2-client">
</span><del>- <title>Registering OAuth 2.0 Clients with the Authorization \
Service</title> </del><ins>+ <title>Registering OAuth 2.0 Clients With \
the Authorization Service</title> </ins><span class="cx">
</span><span class="cx"> <indexterm>
</span><span class="cx"> <primary>OAuth 2.0</primary>
</span><span class="lines">@@ -982,7 +1011,7 @@
</span><span class="cx"> </indexterm>
</span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Use either of these two facilities.</para>
</del><ins>+ <para>Use either of these two facilities:</para>
</ins><span class="cx"> <stepalternatives>
</span><span class="cx"> <step>
</span><span class="cx"> <para>In the OpenAM console, access the client \
registration endpoint </span><span class="lines">@@ -1027,7 +1056,7 @@
</span><span class="cx"> and also the documentation section <link \
xlink:show="new" </span><span class="cx"> \
xlink:href="admin-guide#configure-oauth2-client" </span><span class="cx"> \
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring
</span><del>- OAuth 2.0 &amp; OpenID Connect 1.0 \
Clients</citetitle></link>.</para> </del><ins>+ OAuth 2.0 and \
OpenID Connect 1.0 Clients</citetitle></link>.</para> </ins><span \
class="cx"> </span><span class="cx"> <para>Examine the client type option. \
An important decision to make at this </span><span class="cx"> point is whether \
your client is a confidential client or a public client. </span><span \
class="lines">@@ -1040,7 +1069,7 @@ </span><span class="cx"> then yours is a \
public client.</para> </span><span class="cx"> </step>
</span><span class="cx"> <step>
</span><del>- <para>When finished, Save your work.</para>
</del><ins>+ <para>When finished, save your work.</para>
</ins><span class="cx"> </step>
</span><span class="cx"> </procedure>
</span><span class="cx"> </section>
</span><span class="lines">@@ -1113,11 +1142,11 @@
</span><span class="cx"> -->
</span><span class="cx">
</span><span class="cx"> <section \
xml:id="oauth2-client-plus-authz"> </span><del>- \
<title>Configuring OpenAM as Authorization Server &amp; \
Client</title> </del><ins>+ <title>Configuring OpenAM as Authorization \
Server and Client</title> </ins><span class="cx">
</span><span class="cx"> <indexterm>
</span><span class="cx"> <primary>OAuth 2.0</primary>
</span><del>- <secondary>OpenAM as authorization server &amp; \
client</secondary> </del><ins>+ <secondary>OpenAM as authorization \
server and client</secondary> </ins><span class="cx"> \
<tertiary>configuring</tertiary> </span><span class="cx"> \
</indexterm> </span><span class="cx">
</span><span class="lines">@@ -1128,20 +1157,23 @@
</span><span class="cx"> by using an OpenAM policy agent.
</span><span class="cx"> </para>
</span><span class="cx">
</span><del>- <mediaobject \
xml:id="figure-oauth2-end-to-end-example">
- <alt>OpenAM authorization server, OpenAM client, resource \
server</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-end-to-end-example.png" \
format="PNG" />
- </imageobject>
- <textobject>
- <para>
- This example uses three servers,
- an OAuth 2.0 authorization server configured in an OpenAM server,
- an OAuth 2.0 client configured in another OpenAM server,
- and an OAuth 2.0 resource server which is protected with a policy agent.
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-end-to-end-example">
+ <title>OpenAM Authorization Server, OpenAM Client, and Resource \
Server</title> + <mediaobject>
+ <alt>OpenAM authorization server, OpenAM client, resource \
server</alt> + <imageobject>
+ <imagedata fileref="images/oauth2-end-to-end-example.png" \
format="PNG" /> + </imageobject>
+ <textobject>
+ <para>
+ This example uses three servers,
+ an OAuth 2.0 authorization server configured in an OpenAM server,
+ an OAuth 2.0 client configured in another OpenAM server,
+ and an OAuth 2.0 resource server which is protected with a policy agent.
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> The example in this section uses three servers,
</span><span class="lines">@@ -1159,7 +1191,7 @@
</span><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- The high-level configuration steps are as follows.
</del><ins>+ The high-level configuration steps are as follows:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <orderedlist>
</span><span class="lines">@@ -1239,9 +1271,9 @@
</span><span class="cx"> and also as the OAuth 2.0 client,
</span><span class="cx"> with an OpenAM policy agent on the resource server
</span><span class="cx"> requesting policy decisions from OpenAM as OAuth 2.0 \
client. </span><del>- In this way any server protected by a policy agent
</del><ins>+ In this way, any server protected by a policy agent
</ins><span class="cx"> that is connected to an OpenAM OAuth 2.0 client
</span><del>- can act as an OAuth 2.0 resource server.
</del><ins>+ can act as an OAuth 2.0 resource server:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <orderedlist>
</span><span class="lines">@@ -1265,9 +1297,9 @@
</span><span class="cx"> ><citetitle>Java EE Policy Agent User's \
Guide</citetitle></link> </span><span class="cx"> for instructions \
on installing a policy agent. This example relies on the </span><span class="cx"> \
Apache Tomcat Java EE policy agent, configured to protect resources in </span><del>- \
Apache Tomcat at <literal>http://www.example.com:8080/</literal>.</para>
</del><ins>+ Apache Tomcat (Tomcat) at \
<literal>http://www.example.com:8080/</literal>.</para> </ins><span \
class="cx"> </span><del>- <para>The policies for this example protect the \
Apache Tomcat examples </del><ins>+ <para>The policies for this example \
protect the Tomcat examples </ins><span class="cx"> under \
<literal>http://www.example.com:8080/examples/</literal>, allowing \
</span><span class="cx"> GET and POST operations by all authenticated users. For \
more information </span><span class="cx"> on creating policies, see <link \
xlink:show="new" </span><span class="lines">@@ -1277,22 +1309,26 @@
</span><span class="cx">
</span><span class="cx"> <para>After setting up the policy agent and the \
policy, you can make sure </span><span class="cx"> everything is working by \
attempting to access a protected resource, in this </span><del>- case \
<literal>http://www.example.com:8080/examples/</literal>. The policy \
</del><ins>+ case, \
<literal>http://www.example.com:8080/examples/</literal>. The policy \
</ins><span class="cx"> agent should redirect you to OpenAM to authenticate with \
the default </span><span class="cx"> authentication module, where you can login \
as user <literal>demo</literal> </span><span class="cx"> password \
<literal>changeit</literal>. After successful authentication, \
</span><span class="cx"> OpenAM redirects your browser back to the protected \
resource and the </span><del>- policy agent lets you get the protected resource, \
in this case the Tomcat </del><ins>+ policy agent lets you get the protected \
resource, in this case, the Tomcat </ins><span class="cx"> examples top \
page.</para> </span><span class="cx">
</span><del>- <mediaobject xml:id="figure-oauth2-examples">
- <alt>Successfully accessing the Apache Tomcat examples</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-examples.png" \
format="PNG"/>
- </imageobject>
- <textobject><para>If your policy agent and policy are set up \
correctly,
- you should get HTTP 200 and the Apache Tomcat examples \
page.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-examples">
+ <title>Accessing the Apache Tomcat Examples</title>
+ <mediaobject>
+ <alt>Successfully accessing the Apache Tomcat examples</alt>
+ <imageobject>
+ <imagedata fileref="images/oauth2-examples.png" \
format="PNG"/> + </imageobject>
+ <textobject><para>If your policy agent and policy are set up \
correctly, + you should get HTTP 200 and the Apache Tomcat examples \
page.</para></textobject> + </mediaobject>
+ </figure>
+
</ins><span class="cx"> </listitem>
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="lines">@@ -1310,7 +1346,7 @@
</span><span class="cx"> <para>
</span><span class="cx"> On the OpenAM server to be configured as an OAuth 2.0 \
client, </span><span class="cx"> configure an OpenAM OAuth 2.0 / OpenID Connect \
authentication module </span><del>- instance for the top-level realm.
</del><ins>+ instance for the top-level realm:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>Under Access Control &gt; / (Top-Level \
Realm) &gt; Authentication </span><span class="lines">@@ -1321,6 +1357,7 @@
</span><span class="cx"> <para>Then click Authentication &gt; Module \
Instances &gt; OAuth2 to open </span><span class="cx"> the OAuth 2.0 client \
configuration page. This page offers numerous options. </span><span class="cx"> \
The key settings for this example are the following.</para> </span><ins>+
</ins><span class="cx"> <variablelist>
</span><span class="cx"> <varlistentry>
</span><span class="cx"> <term>Client Id</term>
</span><span class="lines">@@ -1348,13 +1385,13 @@
</span><span class="cx"> \
<literal>http://authz.example.com:8080/openam/oauth2/authorize</literal>.</para>
</span><span class="cx">
</span><span class="cx"> <para>This OpenAM endpoint can take additional \
parameters. In </span><del>- particular you must specify the realm if the \
OpenAM OAuth 2.0 </del><ins>+ particular, you must specify the realm if the \
OpenAM OAuth 2.0 </ins><span class="cx"> provider is configured for a \
subrealm rather than / (Top-Level </span><span class="cx"> \
Realm).</para> </span><span class="cx">
</span><span class="cx"> <para>For example, if the OAuth 2.0 provider \
is configured for the </span><span class="cx"> realm \
<literal>/customers</literal>, then use the following URL: </span><del>- \
<literal>http://authz.example.com:8080/openam/oauth2/authorize?realm=/customers</literal></para>
</del><ins>+ \
<literal>http://authz.example.com:8080/openam/oauth2/authorize?realm=/customers</literal>.</para>
</ins><span class="cx">
</span><span class="cx"> <para>The \
<literal>/oauth2/authorize</literal> endpoint can also take </span><span \
class="cx"> <literal>module</literal> and \
<literal>service</literal> parameters. Use </span><span class="lines">@@ \
-1373,13 +1410,13 @@ </span><span class="cx"> \
<literal>http://authz.example.com:8080/openam/oauth2/access_token</literal>.</para>
</span><span class="cx">
</span><span class="cx"> <para>This OpenAM endpoint can take additional \
parameters. In </span><del>- particular you must specify the realm if the \
OpenAM OAuth 2.0 </del><ins>+ particular, you must specify the realm if the \
OpenAM OAuth 2.0 </ins><span class="cx"> provider is configured for a \
subrealm rather than / (Top-Level </span><span class="cx"> \
Realm).</para> </span><span class="cx">
</span><span class="cx"> <para>For example, if the OAuth 2.0 provider \
is configured for the </span><span class="cx"> realm \
<literal>/customers</literal>, then use the following URL: </span><del>- \
<literal>http://authz.example.com:8080/openam/oauth2/access_token?realm=/customers</literal></para>
</del><ins>+ \
<literal>http://authz.example.com:8080/openam/oauth2/access_token?realm=/customers</literal>.</para>
</ins><span class="cx"> </listitem>
</span><span class="cx"> </varlistentry>
</span><span class="cx"> <varlistentry>
</span><span class="lines">@@ -1533,15 +1570,19 @@
</span><span class="cx"> as user <literal>demo</literal>, password \
<literal>changeit</literal>, </span><span class="cx"> OpenAM \
presents you with an authorization decision page.</para> </span><span \
class="cx"> </span><del>- <mediaobject \
xml:id="figure-oauth2-authz-page">
- <alt>OpenAM presenting authorization decision page to resource \
owner</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-authz-page.png" \
format="PNG"/>
- </imageobject>
- <textobject><para>Upon successful authentication, the resource \
owner must
- make a decision to authorize the client to access the protected
- resource.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-authz-page">
+ <title>OpenAM Presenting Authorization Decision Page to Resource \
Owner</title> + <mediaobject>
+ <alt>OpenAM presenting authorization decision page to resource \
owner</alt> + <imageobject>
+ <imagedata fileref="images/oauth2-authz-page.png" \
format="PNG"/> + </imageobject>
+ <textobject><para>Upon successful authentication, the resource \
owner must + make a decision to authorize the client to access the protected
+ resource.</para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>When you click Allow, the authorization \
service creates an SSO </span><span class="cx"> session, and redirects the \
client back to the resource, thus allowing </span><span class="lines">@@ -1552,21 \
+1593,25 @@ </span><span class="cx"> accesses the resource, but only ensure that \
you have authenticated and </span><span class="cx"> have a valid \
session.</para> </span><span class="cx">
</span><del>- <mediaobject xml:id="figure-oauth2-examples-again">
- <alt>Successfully accessing the Apache Tomcat examples</alt>
- <imageobject>
- <imagedata fileref="images/oauth2-examples.png" \
format="PNG"/>
- </imageobject>
- <textobject><para>If everything is set up correctly, you should \
end up
- with HTTP 200 and the Apache Tomcat examples \
page.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-oauth2-examples-again">
+ <title>Successfully Accessing the Apache Tomcat Examples</title>
+ <mediaobject>
+ <alt>Successfully accessing the Apache Tomcat examples</alt>
+ <imageobject>
+ <imagedata fileref="images/oauth2-examples.png" \
format="PNG"/> + </imageobject>
+ <textobject><para>If everything is set up correctly, you should \
end up + with HTTP 200 and the Apache Tomcat examples page.</para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx"> </listitem>
</span><span class="cx"> </orderedlist>
</span><span class="cx"> </example>
</span><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="oauth2-sp-and-authz">
</span><del>- <title>Configuring OpenAM as a SAML Service Provider &amp; \
OAuth2 Authorization Server</title> </del><ins>+ <title>Configuring \
OpenAM as a SAML Service Provider and OAuth2 Authorization Server</title> \
</ins><span class="cx"> </span><span class="cx"> <indexterm>
</span><span class="cx"> <primary>OAuth 2.0</primary>
</span><span class="lines">@@ -1586,7 +1631,7 @@
</span><span class="cx"> completes SAML v2.0 Web Single Sign-On.</para>
</span><span class="cx">
</span><span class="cx"> <para>You can configure OpenAM as both SAML v2.0 \
service provider and OAuth </span><del>- 2.0 authorization server, using an built-in \
adapter class to POST assertions </del><ins>+ 2.0 authorization server, using a \
built-in adapter class to POST assertions </ins><span class="cx"> returned to the \
service provider to the access token endpoint of the </span><span class="cx"> \
authorization server. This allows clients to send a resource owner to the \
</span><span class="cx"> identity provider for SAML v2.0 web SSO, get an assertion \
at the service </span><span class="lines">@@ -1595,7 +1640,7 @@
</span><span class="cx"> resource owner to start web SSO as described in <link
</span><span class="cx"> xlink:href="admin-guide#using-saml2-sso-slo"
</span><span class="cx"> \
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Using \
SAML v2.0 </span><del>- Single Sign-On &amp; Single \
Logout</citetitle></link>, and then retrieve the </del><ins>+ Single \
Sign-On and Single Logout</citetitle></link>, and then retrieve the \
</ins><span class="cx"> access token on success or handle the error condition on \
failure.</para> </span><span class="cx">
</span><span class="cx"> <procedure \
xml:id="configure-oauth2-sp-and-authz"> </span><span class="lines">@@ \
-1608,7 +1653,7 @@ </span><span class="cx"> </indexterm>
</span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><del>- <para>For this scenario to work, the following conditions must \
be met.</para> </del><ins>+ <para>For this scenario to work, the \
following conditions must be met:</para> </ins><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>The client must make the resource owner \
understand that by </span><span class="lines">@@ -1656,7 +1701,7 @@
</span><span class="cx"> name IDs are correctly configured to map resource owner \
accounts.</para> </span><span class="cx">
</span><span class="cx"> <para>When configuring OpenAM as a hosted identity \
provider follow these </span><del>- steps.</para>
</del><ins>+ steps:</para>
</ins><span class="cx">
</span><span class="cx"> <substeps>
</span><span class="cx"> <step>
</span><span class="lines">@@ -1769,7 +1814,7 @@
</span><span class="cx">
</span><span class="cx"> <substeps>
</span><span class="cx"> <step>
</span><del>- <para>Logout of all OpenAM servers.</para>
</del><ins>+ <para>Log out of all OpenAM servers.</para>
</ins><span class="cx"> </step>
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="lines">@@ -1779,7 +1824,7 @@
</span><span class="cx"> \
<literal>https://www.idp.example:8443/openam</literal> with meta alias \
</span><span class="cx"> <literal>/idp</literal> and your service \
provider is at </span><span class="cx"> \
<literal>https://www.sp.example:8443/openam</literal>, then browse to the \
</span><del>- following URL (without line breaks or spaces).</para> \
</del><ins>+ following URL (without line breaks or spaces):</para> \
</ins><span class="cx"> </span><span class="cx"> <programlisting \
language="none" </span><span class="cx"> \
>http://www.idp.example:8443/openam/saml2/jsp/idpSSOInit.jsp </span><span \
class="lines">@@ -1788,18 +1833,18 @@ </span><span class="cx"> <para>For \
other configurations, see <link </span><span class="cx"> \
xlink:href="admin-guide#using-saml2-sso-slo" </span><span class="cx"> \
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Using \
SAML v2.0 </span><del>- Single Sign-On &amp; Single \
Logout</citetitle></link>.</para> </del><ins>+ Single Sign-On \
and Single Logout</citetitle></link>.</para> </ins><span \
class="cx"> </step> </span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Login to the identity provider.</para>
</del><ins>+ <para>Log in to the identity provider.</para>
</ins><span class="cx">
</span><span class="cx"> <para>For OpenAM, login with user name \
<literal>demo</literal> and </span><span class="cx"> password \
<literal>changeit</literal>.</para> </span><span class="cx"> \
</step> </span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Login to the service provider.</para>
</del><ins>+ <para>Log in to the service provider.</para>
</ins><span class="cx">
</span><span class="cx"> <para>For OpenAM, login with user name \
<literal>demo</literal> and </span><span class="cx"> password \
<literal>changeit</literal>.</para> </span><span class="lines">@@ \
-1808,7 +1853,8 @@ </span><span class="cx"> <step>
</span><span class="cx"> <para>See the resulting access token on \
successful login.</para> </span><span class="cx">
</span><del>- <para>The result looks something like this, all on one \
line.</para> </del><ins>+ <para>The result looks something like \
this, all on one line:</para> +
</ins><span class="cx"> <programlisting language="javascript">{
</span><span class="cx"> "expires_in": 59,
</span><span class="cx"> "token_type": "Bearer",
</span></span></pre></div>
<a id="trunkdocsserversrcmaindocbkxadminguidechapopenidconnectxml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-openid-connect.xml (14912 => \
14913)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-openid-connect.xml 2015-07-31 \
16:33:31 UTC (rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-openid-connect.xml 2015-07-31 \
17:16:10 UTC (rev 14913) </span><span class="lines">@@ -52,7 +52,7 @@
</span><span class="cx"> that the third-party application aims to access.
</span><span class="cx"> This resource is the \
<emphasis>UserInfo</emphasis>, </span><span class="cx"> information \
about the authenticated end user expressed in a standard format. </span><del>- In \
this way OpenID Connect 1.0 allows relying parties </del><ins>+ In this way, OpenID \
Connect 1.0 allows relying parties </ins><span class="cx"> both to verify the \
identity of the end user </span><span class="cx"> and also to obtain user \
information using REST. </span><span class="cx"> This contrasts with OAuth 2.0, \
which only defines the authorization mechanism. </span><span class="lines">@@ -61,7 \
+61,7 @@ </span><span class="cx"> <itemizedlist>
</span><span class="cx"> <para>
</span><span class="cx"> The names used in OpenID Connect 1.0 differ from those \
used in OAuth 2.0. </span><del>- In OpenID Connect 1.0, the key entities are the \
following. </del><ins>+ In OpenID Connect 1.0, the key entities are the following:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="lines">@@ -127,7 +127,7 @@
</span><span class="cx"> </itemizedlist>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- In OpenID Connect the relying party can verify claims
</del><ins>+ In OpenID Connect, the relying party can verify claims
</ins><span class="cx"> about the identity of the end user,
</span><span class="cx"> and log the user out at the end of a session.
</span><span class="cx"> OpenID Connect also makes it possible
</span><span class="lines">@@ -171,17 +171,20 @@
</span><span class="cx"> and optional use of the access token to get information \
about the end user. </span><span class="cx"> </para>
</span><span class="cx">
</span><del>- <mediaobject xml:id="figure-openid-connect-basic">
- <alt>OpenAM in OpenID Connect Authorization Code Flow</alt>
- <imageobject>
- <imagedata fileref="images/openid-connect-basic.png" \
format="PNG"/>
- </imageobject>
- <textobject>
- <para>
- OpenAM supports the OpenID Connect Authorization Code Flow.
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-openid-connect-basic">
+ <title>OpenAM in OpenID Connect Authorization Code Flow</title>
+ <mediaobject>
+ <alt>OpenAM in OpenID Connect Authorization Code Flow</alt>
+ <imageobject>
+ <imagedata fileref="images/openid-connect-basic.png" \
format="PNG"/> + </imageobject>
+ <textobject>
+ <para>
+ OpenAM supports the OpenID Connect Authorization Code Flow.
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> In addition to what OAuth 2.0 specifies,
</span><span class="lines">@@ -207,17 +210,20 @@
</span><span class="cx"> and optional use of the access token to get information \
about the end user. </span><span class="cx"> </para>
</span><span class="cx">
</span><del>- <mediaobject xml:id="figure-openid-connect-implicit">
- <alt>OpenAM in OpenID Connect Implicit Flow</alt>
- <imageobject>
- <imagedata fileref="images/openid-connect-implicit.png" \
format="PNG"/>
- </imageobject>
- <textobject>
- <para>
- OpenAM supports the OpenID Connect Implicit Flow.
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-openid-connect-implicit">
+ <title>OpenAM in OpenID Connect Implicit Flow</title>
+ <mediaobject>
+ <alt>OpenAM in OpenID Connect Implicit Flow</alt>
+ <imageobject>
+ <imagedata fileref="images/openid-connect-implicit.png" \
format="PNG"/> + </imageobject>
+ <textobject>
+ <para>
+ OpenAM supports the OpenID Connect Implicit Flow.
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> As for the Authorization Code Flow, the Implicit Flow \
specifies </span><span class="lines">@@ -245,7 +251,7 @@
</span><span class="cx"> OpenID Connect relying parties register OAuth 2.0 client \
profiles with OpenAM. </span><span class="cx"> Relying parties can register with \
OpenAM as a provider both statically, </span><span class="cx"> as for other OAuth \
2.0 clients, </span><del>- and also dynamically as specified by OpenID Connect \
Discovery. </del><ins>+ and also dynamically, as specified by OpenID Connect \
Discovery. </ins><span class="cx"> To allow dynamic registration, you register an \
initial OAuth 2.0 client </span><span class="cx"> that other relying parties can \
use to get access tokens for registration. </span><span class="cx"> </para>
</span><span class="lines">@@ -299,7 +305,7 @@
</span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><span class="cx"> <para>
</span><del>- Next, configure the OpenID Connect specific options.
</del><ins>+ Next, configure the OpenID Connect specific options:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="lines">@@ -427,7 +433,7 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> To retrieve the OpenID Provider for an end user,
</span><del>- the relying party needs the following.
</del><ins>+ the relying party needs the following:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <variablelist>
</span><span class="lines">@@ -448,7 +454,7 @@
</span><span class="cx"> <para>Identifies the end user that is the subject \
of the request.</para> </span><span class="cx">
</span><span class="cx"> <para>The relying party must percent-encode the \
resource value when using it in </span><del>- the query string of the request, so \
when using the "acct" URI scheme and </del><ins>+ the query string of \
the request, so when using the <literal>acct</literal> URI scheme and \
</ins><span class="cx"> the resource is \
<literal>acct:user@example.com</literal>, then the value </span><span \
class="cx"> to use is \
<literal>acct%3Auser%40example.com</literal>.</para> </span><span \
class="cx"> </listitem> </span><span class="lines">@@ -466,7 +472,7 @@
</span><span class="cx"> </variablelist>
</span><span class="cx">
</span><span class="cx"> <para>Ignoring the question of redirection, you can \
test the endpoint for the </span><del>- demo user account (output lines folded to \
make them easier to read).</para> </del><ins>+ demo user account (output lines \
folded to make them easier to read):</para> </ins><span class="cx">
</span><span class="cx"> <screen>
</span><span class="cx"> $ <userinput>curl \
</span><span class="lines">@@ -490,7 +496,7 @@
</span><span class="cx"> <para>
</span><span class="cx"> The relying party can also discover the OpenID provider \
configuration. </span><span class="cx"> Ignoring the question of redirection, you \
can test this </span><del>- (output lines folded to make them easier to read).
</del><ins>+ (output lines folded to make them easier to read):
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <informalexample>
</span><span class="lines">@@ -571,7 +577,7 @@
</span><span class="cx"> <para>Follow the hints in the section, <link \
xlink:show="new" </span><span class="cx"> \
xlink:href="admin-guide#configure-oauth2-client" </span><span class="cx"> \
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring
</span><del>- OAuth 2.0 &amp; OpenID Connect 1.0 \
Clients</citetitle></link> to edit </del><ins>+ OAuth 2.0 and OpenID \
Connect 1.0 Clients</citetitle></link> to edit </ins><span class="cx"> \
the profile to match the relying party configuration.</para> </span><span \
class="cx"> </span><span class="cx"> <para>In order to read and edit the \
relying party profile dynamically later </span><span class="lines">@@ -594,7 +600,7 \
@@ </span><span class="cx"> <tip>
</span><span class="cx"> <para>
</span><span class="cx"> As described in <xref \
linkend="openam-openid-client-registration" />, </span><del>- You \
can allow relying parties to register without having an access token </del><ins>+ \
you can allow relying parties to register without having an access token </ins><span \
class="cx"> by setting the advanced server property, </span><span class="cx"> \
<literal>org.forgerock.openam.openidconnect.allow.open.dynamic.registration</literal>,
</span><span class="cx"> to <literal>true</literal>.
</span><span class="lines">@@ -605,7 +611,7 @@
</span><span class="cx">
</span><span class="cx"> <para>On successful registration, OpenAM responds \
with information including </span><span class="cx"> an access token to allow the \
relying party subsequently to read and edit its </span><del>- profile.</para>
</del><ins>+ profile:</para>
</ins><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>Register an initial OAuth 2.0 client \
statically with a client ID </span><span class="lines">@@ -619,7 +625,7 @@
</span><span class="cx"> <para>For example, if you created the client as \
described in the previous </span><span class="cx"> step, and OpenAM administrator \
<literal>amadmin</literal> has password </span><span class="cx"> \
<literal>password</literal>, you can use the OAuth 2.0 resource owner \
</span><del>- password grant as in the following example.</para> \
</del><ins>+ password grant as in the following example:</para> </ins><span \
class="cx"> </span><span class="cx"> <screen>
</span><span class="cx"> $ <userinput>curl \
</span><span class="lines">@@ -645,7 +651,7 @@
</span><span class="cx"> the examples <link xlink:show="new"
</span><span class="cx"> \
xlink:href="https://github.com/ForgeRock/openid">available \
online</link>. </span><span class="cx"> Successful registration shows a \
response that includes the client ID and </span><del>- client secret. Lines are \
folded in the following example.</para> </del><ins>+ client secret. Lines \
are folded in the following example:</para> </ins><span class="cx">
</span><span class="cx"> <programlisting language="javascript">
</span><span class="cx"> {
</span><span class="lines">@@ -677,9 +683,9 @@
</span><span class="cx"> <para>As described in the <link
</span><span class="cx"> \
xlink:href="http://openid.net/specs/openid-connect-session-1_0.html" \
</span><span class="cx"> xlink:show="new">OpenID Connect Session \
Management 1.0</link> specification, </span><del>- OpenAM's OpenID Provider \
exposes both a "check_session_iframe" URL </del><ins>+ OpenAM's OpenID \
Provider exposes both a <literal>check_session_iframe</literal> URL \
</ins><span class="cx"> that allows the relying party to receive notifications when \
the end user's session </span><del>- state changes at the provider, and also an \
"end_session_endpoint" URL to </del><ins>+ state changes at the provider, \
and also an <literal>end_session_endpoint</literal> URL to </ins><span \
class="cx"> which to redirect an end user for logout.</para> </span><span \
class="cx"> </span><span class="cx"> <para>When registering your relying \
party that uses session management, you set the </span><span class="lines">@@ -687,7 \
+693,7 @@ </span><span class="cx"> Client Session URI, described in <link \
xlink:show="new" </span><span class="cx"> \
xlink:href="admin-guide#configure-oauth2-client" </span><span class="cx"> \
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring
</span><del>- OAuth 2.0 &amp; OpenID Connect 1.0 \
Clients</citetitle></link>. The Post </del><ins>+ OAuth 2.0 and OpenID \
Connect 1.0 Clients</citetitle></link>. The Post </ins><span class="cx"> \
Logout Redirect URI is used to redirect the end user user-agent after logout. \
</span><span class="cx"> The Client Session URI is the relying party URI where \
OpenAM sends notifications </span><span class="cx"> when the end user's session \
state changes.</para> </span><span class="lines">@@ -713,26 +719,29 @@
</span><span class="cx"> \
xlink:href="https://github.com/ForgeRock/openid" </span><span class="cx"> \
>available online</link>. </span><span class="cx"> Clone the example \
project to deploy it in the same web container as OpenAM. </span><del>- Edit the \
configuration at the outset of the .js files in the project, </del><ins>+ Edit the \
configuration at the outset of the <literal>.js</literal> files in the \
project, </ins><span class="cx"> register a corresponding profile for the example \
relying party </span><span class="cx"> as described in <xref \
linkend="register-openid-connect-clients"/>, </span><span class="cx"> \
and browse the deployment URL to see the initial page. </span><span class="cx"> \
</para> </span><span class="cx">
</span><del>- <mediaobject \
xml:id="figure-openid-connect-example-start-page">
- <alt>OpenID Connect Client Profiles Start Page</alt>
- <imageobject>
- <imagedata fileref="images/openid-connect-example-start-page.png" \
format="PNG" />
- </imageobject>
- <textobject>
- <para>
- The OpenID Connect Client Profiles Start Page
- lets you choose whether to try
- the Basic Client Profile (Authorization Code Flow)
- or the Implicit Client Profile (Implicit Code Flow).
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure \
xml:id="figure-openid-connect-example-start-page"> + \
<title>OpenID Connect Client Profiles Start Page</title> + \
<mediaobject> + <alt>OpenID Connect Client Profiles Start \
Page</alt> + <imageobject>
+ <imagedata fileref="images/openid-connect-example-start-page.png" \
format="PNG" /> + </imageobject>
+ <textobject>
+ <para>
+ The OpenID Connect Client Profiles Start Page
+ lets you choose whether to try
+ the Basic Client Profile (Authorization Code Flow)
+ or the Implicit Client Profile (Implicit Code Flow).
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <section \
xml:id="openid-basic-profile-example"> </span><span class="cx"> \
<title>Authorization Code Flow Example</title> </span><span \
class="lines">@@ -757,20 +766,23 @@ </span><span class="cx"> check that the OAuth \
2.0 client profile matches the settings described. </span><span class="cx"> \
</para> </span><span class="cx">
</span><del>- <mediaobject \
xml:id="figure-openid-connect-basic-start-page">
- <alt>OpenID Connect Basic Client Profile Start Page</alt>
- <imageobject>
- <imagedata fileref="images/openid-connect-basic-start-page.png" \
format="PNG" />
- </imageobject>
- <textobject>
- <para>
- The Basic Client Profile start page describes the configuration required.
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure \
xml:id="figure-openid-connect-basic-start-page"> + \
<title>OpenID Connect Basic Client Profile Start Page</title> + \
<mediaobject> + <alt>OpenID Connect Basic Client Profile Start \
Page</alt> + <imageobject>
+ <imagedata fileref="images/openid-connect-basic-start-page.png" \
format="PNG" /> + </imageobject>
+ <textobject>
+ <para>
+ The Basic Client Profile start page describes the configuration required.
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>
</span><del>- Logout of OpenAM,
</del><ins>+ Log out of OpenAM,
</ins><span class="cx"> and click the link at the bottom of the page to request \
authorization. </span><span class="cx"> The link sends an HTTP GET request
</span><span class="cx"> asking for <literal>openid profile</literal> \
scopes </span><span class="lines">@@ -794,23 +806,26 @@
</span><span class="cx"> It shows the response to that request.
</span><span class="cx"> It also validates the ID token signature using the \
default (HS256) algorithm, </span><span class="cx"> and decodes the ID token to \
validate its content and show it in the output. </span><del>- Finally it uses the \
access token </del><ins>+ Finally, it uses the access token
</ins><span class="cx"> to request information about the end user who \
authenticated, </span><span class="cx"> and displays the result.
</span><span class="cx"> </para>
</span><span class="cx">
</span><del>- <mediaobject \
xml:id="figure-openid-connect-basic-response-page">
- <alt>OpenID Connect Basic Client Profile Response Page</alt>
- <imageobject>
- <imagedata fileref="images/openid-connect-basic-response-page.png" \
format="PNG" />
- </imageobject>
- <textobject>
- <para>
- The Basic Client Profile response page for the Authorization Code Flow
- shows responses from OpenAM's OpenID Provider.
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure \
xml:id="figure-openid-connect-basic-response-page"> + \
<title>OpenID Connect Basic Client Profile Response Page</title> + \
<mediaobject> + <alt>OpenID Connect Basic Client Profile Response \
Page</alt> + <imageobject>
+ <imagedata \
fileref="images/openid-connect-basic-response-page.png" \
format="PNG" /> + </imageobject>
+ <textobject>
+ <para>
+ The Basic Client Profile response page for the Authorization Code Flow
+ shows responses from OpenAM's OpenID Provider.
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> Notice that in addition to the standard payload,
</span><span class="lines">@@ -838,25 +853,28 @@
</span><span class="cx"> In OpenAM console,
</span><span class="cx"> check that the OAuth 2.0 client profile matches the \
settings described. </span><span class="cx"> If you have already configured the \
agent profile </span><del>- for the Authorization Code Flow example
</del><ins>+ for the Authorization Code Flow example,
</ins><span class="cx"> then you still need to add the redirect URI for the \
Implicit Flow. </span><span class="cx"> </para>
</span><span class="cx">
</span><del>- <mediaobject \
xml:id="figure-openid-connect-implicit-start-page">
- <alt>OpenID Connect Implicit Client Profile Start Page</alt>
- <imageobject>
- <imagedata fileref="images/openid-connect-implicit-start-page.png" \
format="PNG" />
- </imageobject>
- <textobject>
- <para>
- The Implicit Client Profile start page for the Implicit Flow
- describes the configuration required.
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure \
xml:id="figure-openid-connect-implicit-start-page"> + \
<title>OpenID Connect Implicit Client Profile Start Page</title> + \
<mediaobject> + <alt>OpenID Connect Implicit Client Profile Start \
Page</alt> + <imageobject>
+ <imagedata \
fileref="images/openid-connect-implicit-start-page.png" \
format="PNG" /> + </imageobject>
+ <textobject>
+ <para>
+ The Implicit Client Profile start page for the Implicit Flow
+ describes the configuration required.
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>
</span><del>- Logout of OpenAM,
</del><ins>+ Log out of OpenAM,
</ins><span class="cx"> and click the link at the bottom of the page to request \
authorization. </span><span class="cx"> The link sends an HTTP GET request asking
</span><span class="cx"> for <literal>id_token token</literal> \
response types </span><span class="lines">@@ -881,23 +899,26 @@
</span><span class="cx"> The relying party shows the response to the request.
</span><span class="cx"> It also validates the ID token signature using the \
default (HS256) algorithm, </span><span class="cx"> and decodes the ID token to \
validate its content and show it in the output. </span><del>- Finally the relying \
party uses the access token </del><ins>+ Finally, the relying party uses the \
access token </ins><span class="cx"> to request information about the end user \
who authenticated, </span><span class="cx"> and displays the result.
</span><span class="cx"> </para>
</span><span class="cx">
</span><del>- <mediaobject \
xml:id="figure-openid-connect-implicit-response-page">
- <alt>OpenID Connect Implicit Client Profile Response Page</alt>
- <imageobject>
- <imagedata fileref="images/openid-connect-implicit-response-page.png" \
format="PNG" />
- </imageobject>
- <textobject>
- <para>
- The Implicit Client Profile response page for the Implicit Flow
- shows responses from OpenAM's OpenID Provider.
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure \
xml:id="figure-openid-connect-implicit-response-page"> + \
<title>OpenID Connect Implicit Client Profile Response Page</title> + \
<mediaobject> + <alt>OpenID Connect Implicit Client Profile Response \
Page</alt> + <imageobject>
+ <imagedata \
fileref="images/openid-connect-implicit-response-page.png" \
format="PNG" /> + </imageobject>
+ <textobject>
+ <para>
+ The Implicit Client Profile response page for the Implicit Flow
+ shows responses from OpenAM's OpenID Provider.
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> As for the Authorization Code Flow example,
</span><span class="lines">@@ -916,7 +937,7 @@
</span><span class="cx"> xlink:href="admin-guide#chap-certs-keystores"
</span><span class="cx"> \
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Managing
</span><span class="cx"> Certificates</citetitle></link> includes some \
discussion of protecting </span><del>- traffic in the container where OpenAM runs. \
Also see the documentation for </del><ins>+ traffic in the container where OpenAM \
runs. Also, see the documentation for </ins><span class="cx"> your web application \
container.</para> </span><span class="cx">
</span><span class="cx"> <para>Also take into account the points developed in \
the section on <link </span><span class="lines">@@ -945,7 +966,7 @@
</span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><span class="cx"> <para>
</span><del>- This section includes an overview, as well as the following.
</del><ins>+ This section includes an overview, as well as the following:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="lines">@@ -968,7 +989,7 @@
</span><span class="cx"> </itemizedlist>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- In a Mobile Connect deployment OpenAM can play the OpenID Provider \
role, </del><ins>+ In a Mobile Connect deployment, OpenAM can play the OpenID \
Provider role, </ins><span class="cx"> implementing the Mobile Connect Profile
</span><span class="cx"> as part of the Service Provider - Identity Gateway \
interface. </span><span class="cx"> </para>
</span><span class="lines">@@ -987,11 +1008,11 @@
</span><span class="cx"> <para>
</span><span class="cx"> In OpenAM, Mobile Connect LoAs map to an authentication \
mechanism. </span><span class="cx"> Service Providers acting as OpenID Relying \
Parties (RP) request an LoA </span><del>- by using the "acr_values" field \
in an OIDC authentication request.
- In OIDC, "acr_values" specifies Authentication Context Class Reference \
values.
- The RP sets "acr_values" as part of the OIDC Authentication Request.
- OpenAM returns the corresponding "acr" claim in the Authentication \
Response
- as the value of the ID Token "acr" field.
</del><ins>+ by using the <literal>acr_values</literal> field in an \
OIDC authentication request. + In OIDC, <literal>acr_values</literal> \
specifies Authentication Context Class Reference values. + The RP sets \
<literal>acr_values</literal> as part of the OIDC Authentication Request. \
+ OpenAM returns the corresponding <literal>acr</literal> claim in the \
Authentication Response + as the value of the ID Token \
<literal>acr</literal> field. </ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="lines">@@ -1004,7 +1025,7 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> As Mobile Connect OP, OpenAM supports mandatory request \
parameters, </span><del>- and a number of optional request parameters.
</del><ins>+ and a number of optional request parameters:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <table \
xml:id="mobile-connect-table-auth-request-params"> </span><span \
class="lines">@@ -1177,7 +1198,7 @@ </span><span class="cx"> <para>
</span><span class="cx"> When provided as part of the OIDC Authentication \
Request, </span><span class="cx"> the \
<literal>login_hint</literal> is set </span><del>- as the value of \
a cookie named oidcLoginHint, </del><ins>+ as the value of a cookie named \
<literal>oidcLoginHint</literal>, </ins><span class="cx"> which \
is an HttpOnly cookie (only sent over HTTPS). </span><span class="cx"> \
Authentication modules can then retrieve the cookie's value. </span><span class="cx"> \
</para> </span><span class="lines">@@ -1207,7 +1228,7 @@
</span><span class="cx"> It runs through the list of \
<literal>acr_values</literal> in order, </span><span class="cx"> \
attempting to use the first authentication chain that matches. </span><span \
class="cx"> OpenAM then returns the authentication chain used </span><del>- \
as the value of the ID token "acr" claims property. </del><ins>+ as \
the value of the ID token <literal>acr</literal> claims property. \
</ins><span class="cx"> In this way the relying part on the service provider \
</span><span class="cx"> can determine the LoA achieved during \
authentication. </span><span class="cx"> </para>
</span><span class="lines">@@ -1240,10 +1261,10 @@
</span><span class="cx"> <para>
</span><span class="cx"> As Mobile Connect OP, OpenAM responds to a successful \
authorization request </span><span class="cx"> with a response containing all the \
required fields, </span><del>- and also the optional "expires_in" field.
</del><ins>+ and also the optional <literal>expires_in</literal> field.
</ins><span class="cx"> OpenAM supports the mandatory ID Token properties,
</span><del>- though the relying party is expected to use the \
"expires_in" value,
- rather than specifying <literal>max_age</literal> as a request \
parameter. </del><ins>+ though the relying party is expected to use the \
<literal>expires_in</literal> value, + rather than specifying \
<literal>max_age</literal> as a request parameter: </ins><span \
class="cx"> </para> </span><span class="cx">
</span><span class="cx"> <table \
xml:id="mobile-connect-table-id-token-properties"> </span><span \
class="lines">@@ -1317,7 +1338,7 @@ </span><span class="cx"> </entry>
</span><span class="cx"> <entry>
</span><span class="cx"> <para>
</span><del>- Audience, an array including the \
<literal>client_id</literal> </del><ins>+ Audience, an array \
including the <literal>client_id</literal>. </ins><span class="cx"> \
</para> </span><span class="cx"> </entry>
</span><span class="cx"> </row>
</span><span class="lines">@@ -1335,7 +1356,7 @@
</span><span class="cx"> </entry>
</span><span class="cx"> <entry>
</span><span class="cx"> <para>
</span><del>- Expiration time in seconds since the epoch
</del><ins>+ Expiration time in seconds since the epoch.
</ins><span class="cx"> </para>
</span><span class="cx"> </entry>
</span><span class="cx"> </row>
</span><span class="lines">@@ -1353,7 +1374,7 @@
</span><span class="cx"> </entry>
</span><span class="cx"> <entry>
</span><span class="cx"> <para>
</span><del>- Issued at time in seconds since the epoch
</del><ins>+ Issued at time in seconds since the epoch.
</ins><span class="cx"> </para>
</span><span class="cx"> </entry>
</span><span class="cx"> </row>
</span><span class="lines">@@ -1369,7 +1390,7 @@
</span><span class="cx"> </entry>
</span><span class="cx"> <entry>
</span><span class="cx"> <para>
</span><del>- The nonce supplied in the request
</del><ins>+ The nonce supplied in the request.
</ins><span class="cx"> </para>
</span><span class="cx"> </entry>
</span><span class="cx"> </row>
</span><span class="lines">@@ -1382,12 +1403,12 @@
</span><span class="cx"> </entry>
</span><span class="cx"> <entry>
</span><span class="cx"> <para>
</span><del>- Supported
</del><ins>+ Supported.
</ins><span class="cx"> </para>
</span><span class="cx"> </entry>
</span><span class="cx"> <entry>
</span><span class="cx"> <para>
</span><del>- Base64url encoding of the SHA-256 hash of the \
"access_token" value </del><ins>+ Base64url-encoding of the SHA-256 \
hash of the "access_token" value. </ins><span class="cx"> \
</para> </span><span class="cx"> </entry>
</span><span class="cx"> </row>
</span><span class="lines">@@ -1405,7 +1426,7 @@
</span><span class="cx"> </entry>
</span><span class="cx"> <entry>
</span><span class="cx"> <para>
</span><del>- Authentication Context class Reference for the LoA achieved
</del><ins>+ Authentication Context class Reference for the LoA achieved.
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="lines">@@ -1430,7 +1451,7 @@
</span><span class="cx"> </entry>
</span><span class="cx"> <entry>
</span><span class="cx"> <para>
</span><del>- Authentication Methods Reference to indicate the authentication \
method </del><ins>+ Authentication Methods Reference to indicate the \
authentication method. </ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="lines">@@ -1439,7 +1460,7 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> Suggested values include the following:
</span><del>- <literal>OK, DEV_PIN, SIM_PIN, UID_PWD, BIOM, HDR, \
OTP</literal> </del><ins>+ <literal>OK, DEV_PIN, SIM_PIN, UID_PWD, \
BIOM, HDR, OTP</literal>. </ins><span class="cx"> </para>
</span><span class="cx"> </entry>
</span><span class="cx"> </row>
</span><span class="lines">@@ -1457,7 +1478,7 @@
</span><span class="cx"> </entry>
</span><span class="cx"> <entry>
</span><span class="cx"> <para>
</span><del>- Authorized party identifier, which is the \
<literal>client_id</literal> </del><ins>+ Authorized party \
identifier, which is the <literal>client_id</literal>. </ins><span \
class="cx"> </para> </span><span class="cx"> </entry>
</span><span class="cx"> </row>
</span><span class="lines">@@ -1466,8 +1487,8 @@
</span><span class="cx"> </table>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- In addition to the standard OIDC user information returned with \
userinfo,
- OpenAM as OP for Mobile Connect returns the "updated_at" property,
</del><ins>+ In addition to the standard OIDC user information returned with \
<literal>userinfo</literal>, + OpenAM as OP for Mobile Connect returns \
the <literal>updated_at</literal> property, </ins><span class="cx"> \
representing the time last updated as seconds since the epoch. </span><span \
class="cx"> </para> </span><span class="cx">
</span><span class="lines">@@ -1484,7 +1505,7 @@
</span><span class="cx"> under Access Control > <replaceable>Realm \
Name</replaceable> </span><span class="cx"> > Services > OAuth2 \
Provider for the configuration in a specific realm, </span><span class="cx"> and \
under Configuration > Global > OAuth2 Provider </span><del>- for the \
inherited global settings. </del><ins>+ for the inherited global settings:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="lines">@@ -1551,18 +1572,18 @@
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><span class="cx"> Configure the identity Data Store attributes used to \
return </span><del>- "updated_at" values in the ID Token.
</del><ins>+ <literal>updated_at</literal> values in the ID Token.
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> For Mobile Connect clients,
</span><del>- the user info endpoint returns "updated_at" values in the \
ID Token.
- If the user profile has never been updated "updated_at"
</del><ins>+ the user info endpoint returns \
<literal>updated_at</literal> values in the ID Token. + If the user \
profile has never been updated <literal>updated_at</literal> </ins><span \
class="cx"> reflects creation time. </span><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- The "updated_at" values are read from the profile \
attributes you specify. </del><ins>+ The \
<literal>updated_at</literal> values are read from the profile attributes \
you specify. </ins><span class="cx"> When using OpenDJ directory server as an \
identity Data Store, </span><span class="cx"> the value is read from the \
<literal>modifyTimestamp</literal> attribute, </span><span class="cx"> \
or the <literal>createTimestamp</literal> attribute </span><span \
class="lines">@@ -1584,7 +1605,7 @@ </span><span class="cx"> <para>
</span><span class="cx"> In addition, you must also add these attributes to the \
list </span><span class="cx"> of LDAP User Attributes for the data store.
</span><del>- Otherwise the attributes are not returned when OpenAM reads the \
user profile. </del><ins>+ Otherwise, the attributes are not returned when OpenAM \
reads the user profile. </ins><span class="cx"> To edit the list in OpenAM \
console, browse to </span><span class="cx"> Access Control > \
<replaceable>Realm Name</replaceable> </span><span class="cx"> > \
Data Stores > <replaceable>Data Store Name</replaceable> \
</span></span></pre></div> <a \
id="trunkdocsserversrcmaindocbkxadminguidechappwdresetxml"></a> <div \
class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-pwd-reset.xml (14912 => \
14913)</h4> <pre class="diff"><span>
<span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-pwd-reset.xml 2015-07-31 16:33:31 \
UTC (rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-pwd-reset.xml 2015-07-31 \
17:16:10 UTC (rev 14913) </span><span class="lines">@@ -20,7 +20,7 @@
</span><span class="cx"> !
</span><span class="cx"> ! CCPL HEADER END
</span><span class="cx"> !
</span><del>- ! Copyright 2011-2014 ForgeRock AS
</del><ins>+ ! Copyright 2011-2015 ForgeRock AS.
</ins><span class="cx"> !
</span><span class="cx"> -->
</span><span class="cx"> <chapter xml:id='chap-pwd-reset'
</span><span class="lines">@@ -36,7 +36,7 @@
</span><span class="cx"> <indexterm><primary>Password \
reset</primary></indexterm> </span><span class="cx">
</span><span class="cx"> <para>This chapter focuses on how to enable OpenAM \
features that allow users </span><del>- to self register from the Login page and \
reset their own </del><ins>+ to self-register from the Login page and reset their \
own </ins><span class="cx"> passwords in secure fashion.
</span><span class="cx"> </para>
</span><span class="cx">
</span><span class="lines">@@ -47,20 +47,21 @@
</span><span class="cx"> themselves to the system.
</span><span class="cx"> On the Login page, the user clicks a Register link, which \
sends a request to </span><span class="cx"> the OpenAM server. OpenAM responds to \
request by sending a </span><del>- Register Your Account page where the user enters \
his or her email address. </del><ins>+ Register Your Account page where the users \
enter their email address. </ins><span class="cx"> </para>
</span><span class="cx"> <para>
</span><del>- After the user enters his or her email, OpenAM responds by sending a
</del><ins>+ After the users enter their email, OpenAM responds by sending a
</ins><span class="cx"> notification containing a confirmation link to the user's \
email address. </span><del>- When the user clicks the link, OpenAM confirms the \
operation and presents the user
- with a registration page where the user enters their account information.
</del><ins>+ When the user clicks the link, OpenAM confirms the operation and \
presents + the user with a registration page where the users enter their account
+ information.
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <procedure \
xml:id="configure-user-self-registration"> </span><span class="cx"> \
<title>To Configure User Self-Registration</title> </span><span \
class="cx"> </span><span class="cx"> <step>
</span><del>- <para>Configure the Email Service to send mail
</del><ins>+ <para>Configure the email service to send mail
</ins><span class="cx"> notifications to users who self-register.
</span><span class="cx"> </para>
</span><span class="cx"> <para>
</span><span class="lines">@@ -71,11 +72,11 @@
</span><span class="cx"> </step>
</span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Configure User Self Service to enable self-registration.
</del><ins>+ <para>Configure User Self-Service to enable self-registration.
</ins><span class="cx"> </para>
</span><span class="cx"> <para>
</span><span class="cx"> You can configure these globally in OpenAM console at
</span><del>- Configure &gt; Global &gt; User Self Service. On the User \
Self Service page, click </del><ins>+ Configure &gt; Global &gt; User \
Self Service. On the User Self-Service page, click </ins><span class="cx"> the \
<literal>Enabled</literal> checkbox next to Self-Registration for Users, \
</span><span class="cx"> and then click Save. </span><span class="cx"> \
</para> </span><span class="lines">@@ -87,30 +88,33 @@
</span><span class="cx"> Login page.
</span><span class="cx"> </para>
</span><span class="cx">
</span><del>- <mediaobject xml:id="figure-user-self-register-login">
- <alt>User Self-Registration link</alt>
- <imageobject>
- <imagedata fileref="images/user-self-register-login.png" \
format="PNG" />
- </imageobject>
- <textobject><para>OpenAM allows users to register themselves by \
clicking
- the Register link.
- </para>
- </textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-user-self-register-login">
+ <title>User Self-Registration Login Page</title>
+ <mediaobject>
+ <alt>User Self-Registration link</alt>
+ <imageobject>
+ <imagedata fileref="images/user-self-register-login.png" \
format="PNG" /> + </imageobject>
+ <textobject><para>OpenAM allows users to register themselves by \
clicking + the Register link.
+ </para>
+ </textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="about-pwd-reset">
</span><span class="cx"> <title>About Password Reset</title>
</span><span class="cx">
</span><del>- <para>Users who know their passwords, but must reset them \
because for example </del><ins>+ <para>Users who know their passwords, but \
must reset them because, for example, </ins><span class="cx"> the password is \
going to expire, can reset their passwords by successfully </span><span class="cx"> \
authenticating to OpenAM, visiting their end user pages, such as </span><span \
class="cx"> <literal>http://openam.example.com:8080/openam/XUI/#profile/</literal>, \
and </span><span class="cx"> clicking Change Security Data to display the change \
password page.</para> </span><span class="cx">
</span><span class="cx"> <figure \
xml:id="figure-console-change-pwd-xui"> </span><del>- \
<title>OpenAM Security Data Change page</title> </del><ins>+ \
<title>OpenAM Security Data Change Page</title> </ins><span class="cx"> \
<mediaobject> </span><span class="cx"> <alt>OpenAM Change Password \
page</alt> </span><span class="cx"> <imageobject>
</span><span class="lines">@@ -154,7 +158,7 @@
</span><span class="cx">
</span><span class="cx"> <tip>
</span><span class="cx"> <para>
</span><del>- Resetting a user password can have repercussions on the user \
profile. </del><ins>+ Resetting a user password can have repercussions for the \
user profile. </ins><span class="cx"> For example, a user data store directory \
service </span><span class="cx"> could enforce a policy to require password \
changes on reset. </span><span class="cx"> OpenAM's LDAP authentication module \
can deal with policies </span><span class="lines">@@ -176,17 +180,17 @@
</span><span class="cx"> </tip>
</span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Configure the Password Reset service in one of the \
following ways.</para> </del><ins>+ <para>Configure the Password Reset \
service in one of the following ways:</para> </ins><span class="cx">
</span><span class="cx"> <stepalternatives>
</span><span class="cx"> <step>
</span><del>- <para>To configure the service globally for all realms, \
login to OpenAM </del><ins>+ <para>To configure the service globally for \
all realms, log in to OpenAM </ins><span class="cx"> Console as administrator \
and browse to Configuration &gt; Global &gt; </span><span class="cx"> \
Password Reset in the Global Properties list.</para> </span><span class="cx"> \
</step> </span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>To configure the service for a particular realm, login \
to OpenAM </del><ins>+ <para>To configure the service for a particular \
realm, log in to OpenAM </ins><span class="cx"> console as the realm \
administrator and browse to Access Control &gt; </span><span class="cx"> \
<replaceable>Realm Name</replaceable> &gt; Services, then click \
Add... </span><span class="cx"> to add a new Password Reset service \
configuration.</para> </span><span class="lines">@@ -224,7 +228,7 @@
</span><span class="cx"> <para>Localized versions of this file are named
</span><span class="cx"> \
<filename>amPasswordReset_<replaceable>locale</replaceable>.properties</filename>.
</span><span class="cx"> You should localize only the questions at the end, \
leaving the rest of </span><del>- the localized file as is. For example if the \
default properties file </del><ins>+ the localized file as is. For example, if \
the default properties file </ins><span class="cx"> contains:</para>
</span><span class="cx">
</span><span class="cx"> <literallayout \
class="monospaced">favourite-restaurant=What is your favorite \
restaurant?</literallayout> </span><span class="lines">@@ -306,15 +310,15 @@
</span><span class="cx"> <varlistentry>
</span><span class="cx"> <term>Force Change Password on Next \
Login</term> </span><span class="cx"> <listitem>
</span><del>- <para>When enabled, the user must change her password next \
time she
- logs in after OpenAM resets her password.</para>
</del><ins>+ <para>When enabled, the users must change their password \
next time they + log in after OpenAM resetting their password.</para>
</ins><span class="cx"> </listitem>
</span><span class="cx"> </varlistentry>
</span><span class="cx"> <varlistentry>
</span><span class="cx"> <term>Password Reset Failure \
Lockout</term> </span><span class="cx"> <listitem>
</span><del>- <para>When enabled, the user only gets the specified number \
of tries
- before her account is locked.</para>
</del><ins>+ <para>When enabled, users only gets the specified number of \
tries + before their account is locked.</para>
</ins><span class="cx"> </listitem>
</span><span class="cx"> </varlistentry>
</span><span class="cx"> <varlistentry>
</span><span class="lines">@@ -330,10 +334,10 @@
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>This interval applies when Password Reset \
Failure Lockout is </span><span class="cx"> enabled, and when Password Reset \
Failure Lockout Count is set. During </span><del>- this interval, a user can \
try to reset her password the specified </del><ins>+ this interval, user can \
try to reset their password the specified </ins><span class="cx"> number of \
times before being locked out. For example, if this interval </span><del>- is 5 \
minutes and the count is set to 3, a user gets 3 tries during
- a given 5 minute interval to reset her password.</para>
</del><ins>+ is 5 minutes and the count is set to 3, users get 3 tries during
+ a given 5 minute interval to reset their password.</para>
</ins><span class="cx"> </listitem>
</span><span class="cx"> </varlistentry>
</span><span class="cx"> <varlistentry>
</span><span class="lines">@@ -358,9 +362,9 @@
</span><span class="cx"> <term>Password Reset Failure Lockout \
Duration</term> </span><span class="cx"> <listitem>
</span><span class="cx"> <para>If you configure Password Reset Failure \
Lockout, set this to a </span><del>- number of minutes other than \
<literal>0</literal> so that lockout is
- temporary, requiring only that the locked-out user wait to try again
- to reset her password, rather than necessarily require help from
</del><ins>+ number of minutes other than <literal>0</literal>, so \
that lockout is + temporary, requiring only that locked-out users wait to try \
again + to reset their password, rather than asking for help from
</ins><span class="cx"> an administrator.</para>
</span><span class="cx"> </listitem>
</span><span class="cx"> </varlistentry>
</span><span class="lines">@@ -368,15 +372,15 @@
</span><span class="cx"> <term>Password Reset Lockout Attribute \
Name</term> </span><span class="cx"> <listitem>
</span><span class="cx"> <para>If you configure Password Reset Failure \
Lockout, then OpenAM sets </span><del>- sets data store attribute to \
<literal>inactive</literal> upon </del><ins>+ data store attribute \
to <literal>inactive</literal> upon </ins><span class="cx"> \
lockout.</para> </span><span class="cx"> </listitem>
</span><span class="cx"> </varlistentry>
</span><span class="cx"> <varlistentry>
</span><span class="cx"> <term>Password Reset Lockout Attribute \
Value</term> </span><span class="cx"> <listitem>
</span><del>- <para>If set to <literal>inactive</literal>, \
then a user who is locked
- out cannot attempt to reset her password if the Password Reset
</del><ins>+ <para>If set to <literal>inactive</literal>, \
then users who are locked + out cannot attempt to reset their password if the \
Password Reset </ins><span class="cx"> Failure Lockout Duration is \
<literal>0</literal>.</para> </span><span class="cx"> \
</listitem> </span><span class="cx"> </varlistentry>
</span><span class="lines">@@ -407,10 +411,10 @@
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>In the OpenAM console, click the \
Configuration &gt; Servers and </span><del>- Sites &gt; Default Server \
Settings.</para> </del><ins>+ Sites &gt; Default Server \
Settings:</para> </ins><span class="cx"> </step>
</span><span class="cx"> <step>
</span><del>- <para>In the Edit server-default page, scroll down to Mail \
Server to </del><ins>+ <para>In the Edit Server default page, scroll down to \
Mail Server to </ins><span class="cx"> change the Mail Server Host Name or Mail \
Server Port Number.</para> </span><span class="cx"> </step>
</span><span class="cx"> <step>
</span><span class="lines">@@ -426,7 +430,7 @@
</span><span class="cx"> <filename><?eval \
${coreLibrary}?></filename>, copy it to </span><span class="cx"> \
<filename>WEB-INF/classes/</filename> where OpenAM is deployed, and then \
</span><span class="cx"> edit the file to change the \
<literal>fromAddress.label</literal> property </span><del>- value, as \
in the following example.</para> </del><ins>+ value, as in the following \
example:</para> </ins><span class="cx">
</span><span class="cx"> <literallayout \
class="monospaced">fromAddress.label=no-reply@example.com</literallayout>
</span><span class="cx">
</span><span class="lines">@@ -438,94 +442,120 @@
</span><span class="cx"> <procedure \
xml:id="prepare-users-for-pwd-reset"> </span><span class="cx"> \
<title>To Prepare Users to Reset Passwords</title> </span><span \
class="cx"> </span><del>- <para>Before a user can reset her password, she \
must choose answers for </del><ins>+ <para>Before users can reset their \
password, they must choose answers for </ins><span class="cx"> secret \
questions.</para> </span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>When her account is first created, direct the user to \
her </del><ins>+ <para>When the account is first created, direct the user to \
the </ins><span class="cx"> <literal>idm/EndUser</literal> page, such \
as </span><span class="cx"> \
<literal>http://openam.example.com:8080/openam/idm/EndUser</literal>, \
</span><del>- where she can provide a valid email address to recover the reset \
password </del><ins>+ where they can provide a valid email address to recover the \
reset password </ins><span class="cx"> and can edit Password Reset \
Options.</para> </span><del>- <mediaobject \
xml:id="figure-console-end-user">
- <alt>The OpenAM end user page</alt>
- <imageobject>
- <imagedata fileref="images/console-end-user.png" \
format="PNG" />
- </imageobject>
- <textobject><para>Authenticated users can change their email and
- password reset secret questions through the OpenAM \
console.</para></textobject>
- </mediaobject>
- <para>By default OpenAM console redirects end users to this page when
- they login.</para>
</del><ins>+
+ <figure xml:id="figure-console-end-user">
+ <title>OpenAM End User Page</title>
+ <mediaobject>
+ <alt>The OpenAM end user page</alt>
+ <imageobject>
+ <imagedata fileref="images/console-end-user.png" \
format="PNG" /> + </imageobject>
+ <textobject><para>Authenticated users can change their email and
+ password reset secret questions through the OpenAM console.</para>
+ </textobject>
+ </mediaobject>
+ </figure>
+
+ <para>By default, OpenAM console redirects end users to this page when
+ they log in.</para>
</ins><span class="cx"> </step>
</span><span class="cx"> <step>
</span><del>- <para>After the user updates her secret questions, she can use \
the </del><ins>+ <para>After the users update their secret questions, they \
can use the </ins><span class="cx"> password reset service when \
necessary.</para> </span><span class="cx">
</span><del>- <mediaobject \
xml:id="figure-console-secret-questions">
- <alt>The OpenAM secret question page</alt>
- <imageobject>
- <imagedata fileref="images/console-secret-questions.png" \
format="PNG" />
- </imageobject>
- <textobject><para>Authenticated users can change the answers to \
secret
- questions through the OpenAM console.</para></textobject>
- </mediaobject>
</del><ins>+ <figure xml:id="figure-console-secret-questions">
+ <title>OpenAM Secret Question Page</title>
+ <mediaobject>
+ <alt>The OpenAM secret question page</alt>
+ <imageobject>
+ <imagedata fileref="images/console-secret-questions.png" \
format="PNG" /> + </imageobject>
+ <textobject><para>Authenticated users can change the answers to \
secret + questions through the OpenAM console.</para></textobject>
+ </mediaobject>
+ </figure>
</ins><span class="cx">
</span><del>- <note><para>Answers to secret questions are case \
sensitive.</para></note> </del><ins>+ <note><para>Answers \
to secret questions are case-sensitive.</para></note> </ins><span \
class="cx"> </step> </span><span class="cx"> </procedure>
</span><span class="cx">
</span><span class="cx"> <procedure xml:id="redirect-to-reset-pwd">
</span><span class="cx"> <title>To Direct Users to Reset \
Passwords</title> </span><span class="cx">
</span><del>- <para>Having setup her email and answers to secret questions, \
the user </del><ins>+ <para>Having setup their email and answers to secret \
questions, users </ins><span class="cx"> can use the reset password \
service.</para> </span><ins>+
</ins><span class="cx"> <para>Create a test subject and use these steps to \
validate your </span><span class="cx"> configuration.</para>
</span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Send the user with a forgotten password to enter her \
user ID at </del><ins>+ <para>Send users with a forgotten password to enter \
their user ID at </ins><span class="cx"> the password reset URL.</para>
</span><del>- <para>If the user is in the default realm use \
<literal>password</literal> </del><ins>+
+ <para>If the user is in the default realm, use \
<literal>password</literal> </ins><span class="cx"> at the end of the \
URL to OpenAM, as in </span><span class="cx"> \
<literal>http://openam.example.com:8080/openam/password</literal>.</para>
</span><ins>+
</ins><span class="cx"> <para>If the password reset service is enabled only \
for the user's realm </span><span class="cx"> and not the parent realm, or the \
realm to reset the password is different </span><span class="cx"> from the user's \
default realm, use <literal>ui/PWResetUserValidation?realm=<replaceable>realm
</span><span class="cx"> name</replaceable>, as in</literal>
</span><span class="cx"> \
<literal>http://openam.example.com:8080/openam/ui/PWResetUserValidation?realm=<replaceable>realm
</span><span class="cx"> name</replaceable></literal>.</para>
</span><del>- <mediaobject \
xml:id="figure-console-user-validation">
- <alt>The OpenAM user validation page</alt>
- <imageobject>
- <imagedata fileref="images/console-user-validation.png" \
format="PNG" />
- </imageobject>
- <textobject><para>OpenAM validates that the user exists, has an \
active
- account, and has set answers to her secret \
questions.</para></textobject>
- </mediaobject>
</del><ins>+
+ <figure xml:id="figure-console-user-validation">
+ <title>OpenAM User Validation Page</title>
+ <mediaobject>
+ <alt>The OpenAM user validation page</alt>
+ <imageobject>
+ <imagedata fileref="images/console-user-validation.png" \
format="PNG" /> + </imageobject>
+ <textobject><para>OpenAM validates that the user exists, has an \
active + account, and has set answers to their secret questions.</para>
+ </textobject>
+ </mediaobject>
+ </figure>
+
</ins><span class="cx"> </step>
</span><span class="cx"> <step>
</span><span class="cx"> <para>The user answers the specified questions, \
and clicks OK.</para> </span><ins>+
</ins><span class="cx"> <para>OpenAM resets the password, sending mail to \
the SMTP service </span><span class="cx"> you configured.</para>
</span><del>- <mediaobject \
xml:id="figure-console-answer-questions">
- <alt>The OpenAM user validation page</alt>
- <imageobject>
- <imagedata fileref="images/console-answer-questions.png" \
format="PNG" />
- </imageobject>
- <textobject><para>OpenAM prompts with secret \
questions.</para></textobject>
- </mediaobject>
</del><span class="cx">
</span><ins>+ <figure xml:id="figure-console-answer-questions">
+ <title>OpenAM user Validation Page</title>
+ <mediaobject>
+ <alt>The OpenAM user validation page</alt>
+ <imageobject>
+ <imagedata fileref="images/console-answer-questions.png" \
format="PNG" /> + </imageobject>
+ <textobject>
+ <para>OpenAM prompts with secret questions.</para>
+ </textobject>
+ </mediaobject>
+ </figure>
+
</ins><span class="cx"> <para>When the user clicks OK, OpenAM sends the \
email and shows a </span><del>- confirmation message.</para>
</del><ins>+ confirmation message, as shown in the figure.</para>
</ins><span class="cx">
</span><span class="cx"> <para>The user receives the email with a line such \
as the following.</para> </span><span class="cx"> <literallayout \
class="monospaced">Your OpenAM password was changed to: \
647bWluw</literallayout> </span><span class="cx"> </step>
</span><span class="cx"> <step>
</span><span class="cx"> <para>The user logs in using the new \
password.</para> </span><ins>+
</ins><span class="cx"> <para>If you configured the system to force a \
change on password reset, </span><del>- then OpenAM requires the user to change \
her password.</para> </del><ins>+ then OpenAM requires the user to change \
their password.</para> </ins><span class="cx"> </step>
</span><span class="cx"> </procedure>
</span><span class="cx"> </section>
</span></span></pre></div>
<a id="trunkdocsserversrcmaindocbkxadminguidechaprealmsxml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-realms.xml (14912 => 14913)</h4> \
<pre class="diff"><span> <span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-realms.xml 2015-07-31 16:33:31 UTC \
(rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-realms.xml 2015-07-31 17:16:10 \
UTC (rev 14913) </span><span class="lines">@@ -41,7 +41,7 @@
</span><span class="cx"> which are used to group configuration and identities \
together. </span><span class="cx"> For example, you might have one realm for OpenAM \
administrators and agents, </span><span class="cx"> and another realm for users.
</span><del>- In this two-realm setup, the OpenAM administrator can login
</del><ins>+ In this two-realm setup, the OpenAM administrator can log in
</ins><span class="cx"> to the administrative realm to manage the services,
</span><span class="cx"> but cannot authenticate as OpenAM administrator to the \
realm </span><span class="cx"> that protects web sites with HR and financial \
information. </span><span class="lines">@@ -58,12 +58,12 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> When you first configure OpenAM,
</span><del>- OpenAM sets up the default <literal>/ (Top Level \
Realm)</literal>, </del><ins>+ OpenAM sets up the default <literal>/ \
(Top-Level Realm)</literal>, </ins><span class="cx"> containing OpenAM \
configuration data, </span><span class="cx"> and allowing authentication using the \
identity repository </span><span class="cx"> that you choose during initial \
configuration. </span><del>- The top level realm might hold the overall \
configuration
- for Example.com for instance.
</del><ins>+ The top-level realm might hold the overall configuration
+ for Example.com, for instance.
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="lines">@@ -80,7 +80,7 @@
</span><span class="cx"> The default authentication mechanism corresponds
</span><span class="cx"> to that identity repository as well.
</span><span class="cx"> You can, however, constrain authentication to rely on \
different data stores, </span><del>- and set policy for agents to define \
authorization in the realm. </del><ins>+ and set policy for agents to define \
authorization in the realm: </ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <section xml:id="manage-realms">
</span><span class="lines">@@ -107,12 +107,12 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> You can create a new realm through the OpenAM console as \
described below, </span><del>- or by using the <command>ssoadm \
create-realm</command> command. </del><ins>+ or by using the \
<command>ssoadm create-realm</command> command: </ins><span class="cx"> \
</para> </span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Login to the OpenAM console as OpenAM Administrator, \
<literal>amadmin</literal>. </del><ins>+ Log in to the OpenAM console \
as OpenAM Administrator, <literal>amadmin</literal>. </ins><span \
class="cx"> </para> </span><span class="cx"> </step>
</span><span class="cx">
</span><span class="lines">@@ -123,7 +123,7 @@
</span><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <note><para>Do not use the names of OpenAM \
REST endpoints as the name of a realm. </span><del>- The OpenAM REST endpoint \
names that should not be used includes: "users", </del><ins>+ The \
OpenAM REST endpoint names that should not be used include: "users", \
</ins><span class="cx"> "groups", "realms", \
"policies" and "applications".</para></note> \
</span><span class="cx"> </span><span class="cx"> <para>
</span><span class="lines">@@ -172,7 +172,7 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> You can grant privileges through the OpenAM console as \
described below, </span><del>- or by using the <command>ssoadm \
add-privileges</command> command. </del><ins>+ or by using the \
<command>ssoadm add-privileges</command> command: </ins><span class="cx"> \
</para> </span><span class="cx">
</span><span class="cx"> <step>
</span><span class="lines">@@ -186,7 +186,7 @@
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><span class="cx"> On the Privileges tab, click the name of the group
</span><del>- to whom you intend to grant access.
</del><ins>+ to which you intend to grant access.
</ins><span class="cx"> </para>
</span><span class="cx"> </step>
</span><span class="cx">
</span><span class="lines">@@ -418,7 +418,7 @@
</span><span class="cx"> <para>
</span><span class="cx"> You can configure a policy agent
</span><span class="cx"> to be directed to a realm and application when requesting \
policy decisions, </span><del>- or to log users into a different realm than the \
policy agent's realm. </del><ins>+ or to log users into a different realm than the \
policy agent's realm: </ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><span class="lines">@@ -431,7 +431,7 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> By default, policy agents request policy decisions
</span><del>- in the top level realm (/)
</del><ins>+ in the top-level realm (/)
</ins><span class="cx"> and for the default policy agent application,
</span><span class="cx"> <literal>iPlanetAMWebAgentService</literal>.
</span><span class="cx"> When the realm and application differ for your policy \
agent, </span><span class="lines">@@ -485,13 +485,13 @@
</span><span class="cx"> </procedure>
</span><span class="cx">
</span><span class="cx"> <procedure \
xml:id="agent-redirect-login-to-realm"> </span><del>- <title>To \
Configure a Web or J2EE Agent for Login to a Realm</title> </del><ins>+ \
<title>To Configure a Web or J2EE Agent for Log In to a Realm</title> \
</ins><span class="cx"> </span><span class="cx"> <para>
</span><span class="cx"> You might choose to configure your agent in one realm,
</span><span class="cx"> yet have your real users authenticate through another \
realm. </span><span class="cx"> In this case, you want your policy agents
</span><del>- to redirect users to authenticate to their realm, rather than the \
agent realm. </del><ins>+ to redirect users to authenticate to their realm, rather \
than the agent realm: </ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <step>
</span></span></pre></div>
<a id="trunkdocsserversrcmaindocbkxadminguidechaprestxml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-rest.xml (14912 => 14913)</h4> \
<pre class="diff"><span> <span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-rest.xml 2015-07-31 16:33:31 UTC \
(rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-rest.xml 2015-07-31 17:16:10 \
UTC (rev 14913) </span><span class="lines">@@ -35,13 +35,14 @@
</span><span class="cx">
</span><span class="cx"> <para>You can configure the default behavior OpenAM \
will take when a REST </span><span class="cx"> call does not specify explicit \
version information using either of the </span><del>- following \
procedures.</para> </del><ins>+ following procedures:</para>
+
</ins><span class="cx"> <itemizedlist>
</span><span class="cx"> <listitem><para><xref \
linkend="configure-versioning-ui" /></para></listitem> \
</span><span class="cx"> <listitem><para><xref \
linkend="configure-versioning-ssoadm" /></para></listitem> \
</span><span class="cx"> </itemizedlist> </span><span class="cx">
</span><del>- <para>The available options for default behavior are as \
follows.</para> </del><ins>+ <para>The available options for default \
behavior are as follows:</para> </ins><span class="cx">
</span><span class="cx"> <variablelist>
</span><span class="cx"> <varlistentry>
</span><span class="lines">@@ -79,7 +80,7 @@
</span><span class="cx"> <title>Configure Versioning Behavior by using the \
Web-based Console</title> </span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Login as OpenAM administrator, \
<literal>amadmin</literal>.</para> </del><ins>+ <para>Log \
in as OpenAM administrator, <literal>amadmin</literal>.</para> \
</ins><span class="cx"> </step> </span><span class="cx">
</span><span class="cx"> <step>
</span><span class="lines">@@ -87,23 +88,28 @@
</span><span class="cx"> </step>
</span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>In 'Default Version', select the required response to a \
REST
- API request that does not specify an explicit version; 'Latest', 'Oldest',
- or 'None'.</para>
- <mediaobject xml:id="figure-rest-api-default-version-config">
- <alt>REST API Default Version Configuration page.</alt>
- <imageobject>
- <imagedata fileref="images/rest-api-default-version-config.png" \
format="PNG" />
- </imageobject>
- <textobject><para>Select the default version behavior from either \
Latest,
- Oldest, or None. Optionally enable a warning header when
- explicit version information is not provided.</para></textobject>
- </mediaobject>
</del><ins>+ <para>In Default Version, select the required response to a \
REST + API request that does not specify an explicit version: \
<literal>Latest</literal>, + <literal>Oldest</literal>, \
or <literal>None</literal>.</para> +
+ <figure xml:id="figure-rest-api-default-version-config">
+ <title>REST API Default Version Configuration Page</title>
+ <mediaobject>
+ <alt>REST API Default Version Configuration page.</alt>
+ <imageobject>
+ <imagedata fileref="images/rest-api-default-version-config.png" \
format="PNG" /> + </imageobject>
+ <textobject><para>Select the default version behavior from either
+ <literal>Latest</literal>, <literal>Oldest</literal>, \
or <literal>None</literal>. + Optionally enable a warning header \
when explicit version information is + not \
provided.</para></textobject> + </mediaobject>
+ </figure>
</ins><span class="cx"> </step>
</span><span class="cx">
</span><span class="cx"> <step performance="optional">
</span><del>- <para>Optionally, enable 'Warning Header' to include warning \
messages in the
- headers of responses to requests.</para>
</del><ins>+ <para>Optionally, enable <literal>Warning \
Header</literal> to include + warning messages in the headers of responses \
to requests.</para> </ins><span class="cx"> </step>
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="lines">@@ -116,10 +122,10 @@
</span><span class="cx"> <title>Configure Versioning Behavior by using \
SSOADM</title> </span><span class="cx">
</span><span class="cx"> <step>
</span><del>- <para>Use the <literal>ssoadm \
set-attr-defs</literal> command, with </del><ins>+ <para>Use the \
<literal>ssoadm set-attr-defs</literal> command with </ins><span \
class="cx"> the <literal>openam-rest-apis-default-version</literal> \
attribute set </span><span class="cx"> to either \
<literal>LATEST</literal>, <literal>OLDEST</literal> or \
</span><del>- <literal>NONE</literal>, as in the following \
example.</para> </del><ins>+ <literal>NONE</literal>, as in the \
following example:</para> </ins><span class="cx"> <screen>
</span><span class="cx"> $ <userinput>ssh \
openam.example.com</userinput> </span><span class="cx"> $ \
<userinput>cd /path/to/openam-tools/admin/openam/bin</userinput> \
</span></span></pre></div> <a \
id="trunkdocsserversrcmaindocbkxadminguidechapsaml1xml"></a> <div \
class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-saml-1.xml (14912 => 14913)</h4> \
<pre class="diff"><span> <span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-saml-1.xml 2015-07-31 16:33:31 UTC \
(rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-saml-1.xml 2015-07-31 17:16:10 \
UTC (rev 14913) </span><span class="lines">@@ -44,7 +44,7 @@
</span><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- SAML v1.x is an XML and SOAP-based framework that allows
</del><ins>+ SAML v1.x is an XML- and SOAP-based framework that allows
</ins><span class="cx"> online trusted partners to exchange security information.
</span><span class="cx"> In particular, SAML v1.x defines mechanisms for
</span><span class="cx"> browser based web single sign-on (SSO) across independent \
organizations </span><span class="lines">@@ -88,7 +88,7 @@
</span><span class="cx"> <title>About SAML v1.x</title>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- SAML v1.x was defined in response to several technical problems.
</del><ins>+ SAML v1.x was defined in response to several technical problems:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><span class="lines">@@ -163,7 +163,7 @@
</span><span class="cx"> The asserting party and relying party can exchange \
messages either </span><span class="cx"> by reference, where the asserting party \
sends </span><span class="cx"> an <firstterm>artifact</firstterm>
</span><del>- (a base64 encoded reference to the assertion)
</del><ins>+ (a base64-encoded reference to the assertion)
</ins><span class="cx"> as a query string parameter value,
</span><span class="cx"> or by value, where the asserting party directs the user's \
browser </span><span class="cx"> to HTTP POST the assertion to the relying party.
</span><span class="lines">@@ -183,7 +183,6 @@
</span><span class="cx">
</span><span class="cx"> <figure \
xml:id="figure-saml-1-browser-artifact-profile"> </span><span \
class="cx"> <title>SAML v1.x Web SSO Browser Artifact Profile</title> \
</span><del>- </del><span class="cx"> <mediaobject>
</span><span class="cx"> <alt>Sequence diagram of the web SSO browser \
artifact profile</alt> </span><span class="cx"> <imageobject>
</span><span class="lines">@@ -215,7 +214,6 @@
</span><span class="cx">
</span><span class="cx"> <figure \
xml:id="figure-saml-1-browser-post-profile"> </span><span class="cx"> \
<title>SAML v1.x Web SSO Browser POST Profile</title> </span><del>-
</del><span class="cx"> <mediaobject>
</span><span class="cx"> <alt>Sequence diagram of the web SSO browser POST \
profile</alt> </span><span class="cx"> <imageobject>
</span><span class="lines">@@ -245,7 +243,7 @@
</span><span class="cx"> the relying party's authorization decision capabilities \
to </span><span class="cx"> establish whether the user can access the resource.
</span><span class="cx"> If so, the resource is returned to the user's browser.
</span><del>- If the relying party is using OpenAM for example,
</del><ins>+ If the relying party is using OpenAM, for example,
</ins><span class="cx"> then the relying party sets an OpenAM SSO token based on \
the SAML response, </span><span class="cx"> and this token is used to track the \
user's session for authorization. </span><span class="cx"> </para>
</span><span class="lines">@@ -273,7 +271,7 @@
</span><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- This section lists the data that you must collect.
</del><ins>+ This section lists the data that you must collect:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><span class="lines">@@ -389,7 +387,7 @@
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>
</span><span class="cx"> Whether the relying party sends SOAP query requests to \
the asserting party, </span><del>- for example to get authorization decisions
</del><ins>+ for example, to get authorization decisions
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><span class="lines">@@ -496,13 +494,13 @@
</span><span class="cx"> Trusted partners should ask you for a Site ID.
</span><span class="cx"> OpenAM generates a SAML v1.x Site ID value at \
configuration time. </span><span class="cx"> This Site ID value corresponds to \
the server. </span><del>- To find this in OpenAM Console, see Federation
</del><ins>+ To find this in OpenAM console, see Federation
</ins><span class="cx"> > SAML 1.x Configuration > Local Site Properties \
> Site Identifiers, </span><span class="cx"> and then click your server URL.
</span><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- If you have multiple servers in an OpenAM Site set up behind a load \
balancer, </del><ins>+ If you have multiple servers in an OpenAM site set up \
behind a load balancer, </ins><span class="cx"> you can generate a Site ID, and \
then use it for all the servers in your site. </span><span class="cx"> \
</para> </span><span class="cx">
</span><span class="lines">@@ -515,7 +513,7 @@
</span><span class="cx"> This example is for an asserting party
</span><span class="cx"> where the site load balancer host is \
<literal>ap.example.net</literal>. </span><span class="cx"> The \
command is bundled with OpenAM server, </span><del>- shown with lines folded to \
fit on the printed page. </del><ins>+ shown with lines folded to fit on the \
printed page: </ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <screen>
</span><span class="lines">@@ -599,16 +597,16 @@
</span><span class="cx"> <tip>
</span><span class="cx"> <para>
</span><span class="cx"> When you enter SAML v1.x configuration data,
</span><del>- OpenAM Console escapes these special characters by default:
</del><ins>+ OpenAM console escapes these special characters by default:
</ins><span class="cx"> <literal>&amp; &lt; &gt; " ' \
/</literal>. </span><span class="cx"> If instead you have already escaped \
these characters </span><del>- in the data that you plan to enter in OpenAM \
Console, </del><ins>+ in the data that you plan to enter in OpenAM console,
</ins><span class="cx"> then set the advanced configuration property
</span><span class="cx"> \
<literal>com.sun.identity.saml.escapeattributevalue</literal> \
</span><span class="cx"> to <literal>false</literal> </span><span \
class="cx"> under Configuration > Servers and Sites > Default Server \
Settings > Advanced, </span><span class="cx"> and then restart OpenAM or the \
container in which it runs </span><del>- to prevent OpenAM Console from escaping \
the characters for you. </del><ins>+ to prevent OpenAM console from escaping the \
characters for you. </ins><span class="cx"> </para>
</span><span class="cx"> </tip>
</span><span class="cx">
</span><span class="lines">@@ -627,12 +625,12 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> Using the configuration information you have gathered
</span><del>- complete the following steps.
</del><ins>+ complete the following steps:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Login to OpenAM Console as administrator, amadmin,
</del><ins>+ Log in to OpenAM console as administrator, amadmin,
</ins><span class="cx"> browse to Federation > SAML 1.x Configuration,
</span><span class="cx"> and then click Local Site Properties.
</span><span class="cx"> </para>
</span><span class="lines">@@ -750,7 +748,7 @@
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Login to OpenAM Console as administrator, amadmin,
</del><ins>+ Log in to OpenAM console as administrator, amadmin,
</ins><span class="cx"> browse to Federation > SAML 1.x Configuration,
</span><span class="cx"> and then click Local Site Properties.
</span><span class="cx"> </para>
</span><span class="lines">@@ -850,7 +848,7 @@
</span><span class="cx"> <para>
</span><span class="cx"> After you have gathered configuration information
</span><span class="cx"> and if necessary imported public key certificates from \
trusted partners </span><del>- you can configure SAML v1.x information for the \
partners. </del><ins>+ you can configure SAML v1.x information for the partners:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><span class="lines">@@ -867,13 +865,13 @@
</span><span class="cx"> <title>To Configure a Trusted Relying \
Party</title> </span><span class="cx">
</span><span class="cx"> <para>
</span><del>- OpenAM Console refers to the relying party as the Destination,
- because the relying party's site is the destination site.
</del><ins>+ OpenAM console refers to the relying party as the Destination,
+ because the relying party's site is the destination site:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Login to OpenAM Console as administrator, amadmin,
</del><ins>+ Log in to OpenAM console as administrator, amadmin,
</ins><span class="cx"> browse to Federation > SAML 1.x Configuration,
</span><span class="cx"> and then click New in the Trusted Partners table.
</span><span class="cx"> </para>
</span><span class="lines">@@ -959,13 +957,13 @@
</span><span class="cx"> <title>To Configure a Trusted Asserting \
Party</title> </span><span class="cx">
</span><span class="cx"> <para>
</span><del>- OpenAM Console refers to the asserting party as the Source,
- because the asserting party's site is the source site.
</del><ins>+ OpenAM console refers to the asserting party as the Source,
+ because the asserting party's site is the source site:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Login to OpenAM Console as administrator, amadmin,
</del><ins>+ Log in to OpenAM console as administrator, amadmin,
</ins><span class="cx"> browse to Federation > SAML 1.x Configuration,
</span><span class="cx"> and then click New in the Trusted Partners table.
</span><span class="cx"> </para>
</span><span class="lines">@@ -1053,7 +1051,7 @@
</span><span class="cx">
</span><span class="cx"> <para>
</span><span class="cx"> You can try SAML v1.x Web SSO using OpenAM
</span><del>- by following the procedures in this section.
</del><ins>+ by following the procedures in this section:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><span class="lines">@@ -1089,13 +1087,13 @@
</span><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- You can for example set up two separate OpenAM servers on a single \
host </del><ins>+ You can, for example, set up two separate OpenAM servers on a \
single host </ins><span class="cx"> by adding aliases for the hosts in your \
hosts file, </span><span class="cx"> and by using separate containers that \
listen on different ports. </span><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- For example if your host is a laptop,
</del><ins>+ For example, if your host is a laptop,
</ins><span class="cx"> you can add the aliases to the loopback address
</span><span class="cx"> as in the following example line
</span><span class="cx"> from an <filename>/etc/hosts</filename> \
file. </span><span class="lines">@@ -1105,7 +1103,7 @@
</span><span class="cx"> >127.0.0.1 localhost ap.example.net \
rp.example.com</literallayout> </span><span class="cx">
</span><span class="cx"> <para>
</span><del>- Then run one application server to listen on port 8080,
</del><ins>+ Then, run one application server to listen on port 8080,
</ins><span class="cx"> and another to listen on port 9080.
</span><span class="cx"> </para>
</span><span class="cx">
</span><span class="lines">@@ -1132,7 +1130,7 @@
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><span class="cx"> On the asserting party server,
</span><del>- login to OpenAM Console as administrator,
</del><ins>+ login to OpenAM console as administrator,
</ins><span class="cx"> browse to Federation > SAML 1.x Configuration,
</span><span class="cx"> and then click Local Site Properties.
</span><span class="cx"> </para>
</span><span class="lines">@@ -1149,7 +1147,7 @@
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><span class="cx"> On the relying party server,
</span><del>- login to OpenAM Console as administrator,
</del><ins>+ login to OpenAM console as administrator,
</ins><span class="cx"> browse to Federation > SAML 1.x Configuration,
</span><span class="cx"> and then click Local Site Properties.
</span><span class="cx"> </para>
</span><span class="lines">@@ -1168,12 +1166,12 @@
</span><span class="cx"> <title>To Prepare to Test the Asserting \
Party</title> </span><span class="cx">
</span><span class="cx"> <para>
</span><del>- Follow these steps to configure the asserting party OpenAM server.
</del><ins>+ Follow these steps to configure the asserting party OpenAM server:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Login to OpenAM Console as administrator,
</del><ins>+ Log in to OpenAM console as administrator,
</ins><span class="cx"> browse to Federation > SAML 1.x Configuration,
</span><span class="cx"> and then click Local Site Properties.
</span><span class="cx"> </para>
</span><span class="lines">@@ -1258,12 +1256,12 @@
</span><span class="cx"> <title>To Prepare to Test the Relying \
Party</title> </span><span class="cx">
</span><span class="cx"> <para>
</span><del>- Follow these steps to configure the relying party OpenAM server.
</del><ins>+ Follow these steps to configure the relying party OpenAM server:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Login to OpenAM Console as administrator,
</del><ins>+ Log in to OpenAM console as administrator,
</ins><span class="cx"> browse to Federation > SAML 1.x Configuration,
</span><span class="cx"> and then click New in the Trusted Partners table
</span><span class="cx"> to add the asserting party as a trusted partner.
</span><span class="lines">@@ -1315,12 +1313,12 @@
</span><span class="cx"> <title>To Try SAML v1.x Web SSO</title>
</span><span class="cx">
</span><span class="cx"> <para>
</span><del>- Once you have successfully configured both parties, try SAML v1.x \
Web SSO. </del><ins>+ Once you have successfully configured both parties, try SAML \
v1.x Web SSO: </ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Log out of OpenAM Console on both servers.
</del><ins>+ Log out of OpenAM console on both servers.
</ins><span class="cx"> </para>
</span><span class="cx"> </step>
</span><span class="cx">
</span><span class="lines">@@ -1333,7 +1331,7 @@
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><span class="cx"> Simulate the OpenAM administrator browsing the \
asserting party's site, </span><del>- and selecting a link to the OpenAM \
Console on the relying party's site. </del><ins>+ and selecting a link to the \
OpenAM console on the relying party's site. </ins><span class="cx"> \
</para> </span><span class="cx">
</span><span class="cx"> <para>
</span><span class="lines">@@ -1356,14 +1354,14 @@
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Notice that you are redirected to OpenAM Console on the relying \
party server, </del><ins>+ Notice that you are redirected to OpenAM console on \
the relying party server, </ins><span class="cx"> and that you are \
successfully logged in as the demo user. </span><span class="cx"> </para>
</span><span class="cx"> </step>
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Log out of OpenAM Console on both servers.
</del><ins>+ Log out of OpenAM console on both servers.
</ins><span class="cx"> </para>
</span><span class="cx"> </step>
</span><span class="cx"> </substeps>
</span><span class="lines">@@ -1371,14 +1369,14 @@
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Try Web SSO using the SAML HTTP POST profile.
</del><ins>+ Try Web SSO using the SAML HTTP POST profile:
</ins><span class="cx"> </para>
</span><span class="cx">
</span><span class="cx"> <substeps>
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><span class="cx"> Simulate the OpenAM administrator browsing the \
asserting party's site, </span><del>- and selecting a link to the OpenAM \
Console on the relying party's site. </del><ins>+ and selecting a link to the \
OpenAM console on the relying party's site. </ins><span class="cx"> \
</para> </span><span class="cx">
</span><span class="cx"> <para>
</span><span class="lines">@@ -1400,7 +1398,7 @@
</span><span class="cx">
</span><span class="cx"> <step>
</span><span class="cx"> <para>
</span><del>- Notice that you are redirected to OpenAM Console on the relying \
party server, </del><ins>+ Notice that you are redirected to OpenAM console on \
the relying party server, </ins><span class="cx"> and that you are \
successfully logged in as <literal>amadmin</literal>. </span><span \
class="cx"> </para> </span><span class="cx"> </step>
</span></span></pre></div>
<a id="trunkdocsserversrcmaindocbkxadminguidechapsecuringxml"></a>
<div class="modfile"><h4>Modified: \
trunk/docs/server/src/main/docbkx/admin-guide/chap-securing.xml (14912 => 14913)</h4> \
<pre class="diff"><span> <span class="info">--- \
trunk/docs/server/src/main/docbkx/admin-guide/chap-securing.xml 2015-07-31 16:33:31 \
UTC (rev 14912)
+++ trunk/docs/server/src/main/docbkx/admin-guide/chap-securing.xml 2015-07-31 \
17:16:10 UTC (rev 14913) </span><span class="lines">@@ -44,11 +44,11 @@
</span><span class="cx"> <itemizedlist>
</span><span class="cx"> <para>OpenAM includes default settings to make it \
easier for you to </span><span class="cx"> evaluate the software. Avoid these \
default settings in production </span><del>- deployments.</para>
</del><ins>+ deployments:</para>
</ins><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>When connecting to LDAP, bind with a \
specific administrative account </span><del>- rather than a root DN account if \
possible.</para> </del><ins>+ rather than a root DN account, if \
possible.</para> </ins><span class="cx"> </listitem>
</span><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="lines">@@ -141,69 +141,81 @@
</span><span class="cx"> <section xml:id="protect-network-access">
</span><span class="cx"> <title>Protecting Network Access</title>
</span><span class="cx">
</span><del>- <para>Anytime users interact with a web service, there are \
risks. With OpenAM, you can
- reduce those risks by deploying different parts of OpenAM in appropriate parts of \
an
- enterprise network.</para>
</del><ins>+ <para>Anytime users interact with a web service, there are risks. \
With OpenAM, + you can reduce those risks by deploying different parts of OpenAM in \
appropriate + parts of an enterprise network.</para>
</ins><span class="cx">
</span><del>- <para>To minimize risks, deploy only the core OpenAM server on \
systems directly connected
- through a firewall. As a start, deploy only the core server (and the \
protected web application)
- on Internet-facing servers. For instructions, see the following section from \
the
- OpenAM Installation Guide, <link \
xlink:href="install-guide#which-war-to-deploy"
- xlink:show="new" \
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Determine \
Which
- War File to Deploy</citetitle></link>.</para>
</del><ins>+ <para>To minimize risks, deploy only the core OpenAM server on \
systems directly + connected through a firewall. As a start, deploy only the core \
server (and the + protected web application) on Internet-facing servers. For \
instructions, see + the following section from the
+ OpenAM Installation Guide, <link \
xlink:href="install-guide#which-war-to-deploy" + \
xlink:show="new" \
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Determine \
Which + War File to Deploy</citetitle></link>.</para>
</ins><span class="cx">
</span><del>- <para>You can further limit what is exposed through the \
firewall using the </del><ins>+ <para>You can further limit what is exposed \
through the firewall using the </ins><span class="cx"> following \
strategy:</para> </span><span class="cx">
</span><del>- <itemizedlist>
- <listitem>
- <para>Use a reverse proxy in front of OpenAM to allow
- access only to the necessary URLs.
- A reverse proxy exposes only
- those endpoints needed for an application. For example, if you
- need to expose the OAuth2/OpenID Connect endpoints and REST interface,
- then you should implement a reverse proxy.
- </para>
</del><ins>+ <itemizedlist>
+ <listitem>
+ <para>Use a reverse proxy in front of OpenAM to allow
+ access only to the necessary URLs.
+ A reverse proxy exposes only
+ those endpoints needed for an application. For example, if you
+ need to expose the OAuth2/OpenID Connect endpoints and REST interface,
+ then you should implement a reverse proxy.</para>
</ins><span class="cx">
</span><del>- <para>
- The following figure shows the recommended architecture with a
- reverse proxy.</para>
</del><span class="cx">
</span><del>- <mediaobject \
xml:id="figure-securing-openam-rp">
- <alt>Exposing only a reverse proxy to the Internet</alt>
- <imageobject>
- <imagedata fileref="images/securing-openam-rp.png" \
format="PNG" />
- </imageobject>
- <textobject><para>By placing a reverse proxy between \
OpenAM and the
- Internet, you expose only the necessary endpoints outside your
- infrastructure. Notice that OpenAM installed with the console is \
inside
- your infrastructure as well.</para></textobject>
- </mediaobject>
- <para>For access to the console, deploy the full OpenAM \
application<footnote
- ><para>Console only deployment is no longer \
supported.</para></footnote> on
- a separate system that is reachable only from internal systems. Do \
not
- include the full OpenAM server in the load-balanced pool of OpenAM \
servers
- serving applications.</para>
- </listitem>
- <listitem>
- <para>Leave <literal>ssoadm.jsp</literal> disabled in \
production. (Advanced
- property: \
<literal>ssoadm.disabled=true</literal>)</para>
- </listitem>
- <listitem>
- <para>If possible in your deployment, control access to OpenAM \
console by
- network address, such that administrators can only connect from \
well-known
- systems and networks.</para>
- </listitem>
- <listitem>
- <para>Restrict access to URIs that you do not use, and prevent \
internal
- endpoints such as <literal>/sessionservice</literal> \
from being reachable
- over the Internet.</para>
- <para>For a full list of endpoints, see the \
<citetitle>Reference</citetitle>
- chapter on <link xlink:show="new" \
xlink:href="reference#chap-endpoints"
- xlink:role="http://docbook.org/xlink/role/olink">
</del><ins>+ <para>The following figure shows the recommended architecture \
with a + reverse proxy.</para>
+
+
+ <figure xml:id="figure-securing-openam-rp">
+ <title>Exposing Only a Reverse Proxy to the Internet</title>
+ <mediaobject>
+ <alt>Exposing only a reverse proxy to the Internet</alt>
+ <imageobject>
+ <imagedata fileref="images/securing-openam-rp.png" \
format="PNG" /> + </imageobject>
+ <textobject>
+ <para>By placing a reverse proxy between OpenAM and the
+ Internet, you expose only the necessary endpoints outside your
+ infrastructure. Notice that OpenAM installed with the console is inside
+ your infrastructure as well.</para>
+ </textobject>
+ </mediaobject>
+ </figure>
+
+ <para>For access to the console, deploy the full OpenAM \
application<footnote> + <para>Console-only deployment is no longer \
supported.</para></footnote> on + a separate system that is reachable \
only from internal systems. Do not + include the full OpenAM server in the \
load-balanced pool of OpenAM servers + serving applications.</para>
+ </listitem>
+
+ <listitem>
+ <para>Leave <literal>ssoadm.jsp</literal> disabled in \
production. (Advanced + property: \
<literal>ssoadm.disabled=true</literal>).</para> + \
</listitem> +
+ <listitem>
+
+ <para>If possible in your deployment, control access to OpenAM console by
+ network address, such that administrators can only connect from well-known
+ systems and networks.</para>
+ </listitem>
+
+ <listitem>
+ <para>Restrict access to URIs that you do not use, and prevent internal
+ endpoints such as <literal>/sessionservice</literal> from being \
reachable + over the Internet.</para>
+
+ <para>For a full list of endpoints, see the \
<citetitle>Reference</citetitle> + chapter on <link \
xlink:show="new" xlink:href="reference#chap-endpoints" + \
xlink:role="http://docbook.org/xlink/role/olink"> </ins><span \
class="cx"> <citetitle>Service \
Endpoints</citetitle></link>.</para> </span><del>- \
</listitem>
- </itemizedlist>
</del><ins>+ </listitem>
+ </itemizedlist>
</ins><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section \
xml:id="secure-openam-administration"> </span><span class="lines">@@ \
-211,7 +223,7 @@ </span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><span class="cx"> <para>Keep administration of access management \
services separate from </span><del>- management of the services \
themselves.</para> </del><ins>+ management of the services \
themselves:</para> </ins><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>Create realms for your organization(s) and \
separate administrative </span><span class="lines">@@ -223,7 +235,7 @@
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>Use the \
<literal>realm=<replaceable>realm-name</replaceable></literal>
</span><span class="cx"> query string parameter when redirecting users to \
OpenAM, which gives you </span><del>- a way to isolate the URLs used by an \
application.</para> </del><ins>+ a way to isolate the URLs used by an \
application:</para> </ins><span class="cx"> </listitem>
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>Create fully qualified domain name \
realm/DNS aliases, and use </span><span class="lines">@@ -253,7 +265,7 @@
</span><span class="cx">
</span><span class="cx"> <itemizedlist>
</span><span class="cx"> <para>Keep communications secure by using \
encryption, properly configured </span><del>- cookies, and request and response \
signatures.</para> </del><ins>+ cookies, and request and response \
signatures:</para> </ins><span class="cx">
</span><span class="cx"> <listitem>
</span><span class="cx"> <para>Protect network traffic by using HTTPS and \
LDAPS where </span><span class="lines">@@ -323,107 +335,132 @@
</span><span class="cx"> </section>
</span><span class="cx">
</span><span class="cx"> <section xml:id="amadmin-changes">
</span><del>- <title>Administering the amadmin Account</title>
</del><ins>+ <title>Administering the amadmin Account</title>
</ins><span class="cx">
</span><del>- <para>You can make changes to the password and user name \
for the main OpenAM administrative account.</para>
- <para>You can change the user name of the \
<literal>amadmin</literal> administrative account
- to something more obscure, such as \
<literal>superroot</literal>.
- However, the capabilities of that alternative administrative
- account would not be complete, due to some hard-coding of \
<literal>amadmin</literal> in the source files.
- When changing the password for the main OpenAM administrative account, \
you must make a corresponding change
- to the authentication datastore. That datastore could be OpenDJ. The \
steps you would take to change
- the OpenAM top-level administrative password and account name are shown \
in the following sections.</para> </del><ins>+ <para>You can make \
changes to the password and user name for the main OpenAM + administrative \
account.</para> </ins><span class="cx">
</span><del>- <procedure xml:id="change-amadmin-password">
- <title>To Change the Password for the Top-Level Administrator \
(normally <literal>amadmin</literal>)</title> </del><ins>+ \
<para>You can change the user name of the \
<literal>amadmin</literal> administrative account + to something more \
obscure, such as <literal>superroot</literal>. + However, the \
capabilities of that alternative administrative + account would not be complete, \
due to some hard-coding of <literal>amadmin</literal> + in the source \
files. + When changing the password for the main OpenAM administrative account, you \
must + make a corresponding change to the authentication datastore. That datastore
+ could be OpenDJ. The steps you would take to change the OpenAM top-level
+ administrative password and account name are shown in the following \
sections:</para> </ins><span class="cx">
</span><del>- <step>
- <para>Login to the OpenAM console as the administrator, \
normally
- <literal>amadmin</literal>.</para>
- </step>
- <step>
- <para>Under Access Control &gt; / (Top Level Realm) \
&gt; Subjects &gt; User, select the name of the
- current top-level administrative user.</para>
- </step>
- <step>
- <para>In the page that appears, navigate to the Password row \
and click Edit.</para>
- </step>
- <step>
- <para>In the window that appears, enter the desired new \
password in the New Password and
- Re-Enter Password text boxes.</para>
- </step>
- <step>
- <para>Click OK to implement the change. If you want to cancel, \
click Close or just close the window.</para>
- </step>
- <step>
- <para>You'll also need to change the password for the \
administrator on the directory server. If you are
- using OpenDJ, refer to the <link xlink:show="new"
- \
xlink:href="${opendjDocBase}/admin-guide/#troubleshoot-reset-admin-passwords"
- ><citetitle>OpenDJ Administration \
Guide</citetitle> section on Resetting Administrator
- Passwords</link>. If you are using a different directory \
server, you will have to refer to the
- documentation for that server.</para>
- </step>
- </procedure>
</del><ins>+ <procedure xml:id="change-amadmin-password">
</ins><span class="cx">
</span><del>- <para>In the following steps, you will identify the new \
administrative user by assigning it to the <literal>
- com.sun.identity.authentication.super.user</literal> directive. \
You may also need to create an
- OpenAM account for the new administrative user. Don't forget to make \
sure that new administrative
- account is configured in the corresponding directory server such as \
OpenDJ.
- </para>
</del><ins>+ <title>To Change the Password for the Top-Level \
Administrator</title> </ins><span class="cx">
</span><del>- <procedure xml:id="change-amadmin-uid">
- <title>To Change the Account Name for the Top-Level Administrator \
(normally <literal>amadmin</literal>)</title> </del><ins>+ \
<step> + <para>Log in to the OpenAM console as the administrator, \
normally + <literal>amadmin</literal>.</para>
+ </step>
</ins><span class="cx">
</span><del>- <step>
- <para>Login to the OpenAM console as the administrator, \
normally
- <literal>amadmin</literal>.</para>
- </step>
- <step>
- <para>Navigate to the page where you can set the properties \
for different classes. Select
- Configuration &gt; Servers and Sites &gt; \
<replaceable>Server Name</replaceable> &gt; \
Advanced.</para>
- </step>
- <step>
- <para>In the Advanced Properties window that appears, click \
Add.</para>
- </step>
- <step>
- <para>You'll see blank entries in the end of the list of \
Property Names and Property Values. In the
- empty Property Name text box, enter \
<literal>com.sun.identity.authentication.super.user</literal>.</para>
- </step>
- <step>
- <para>In the corresponding Property Values test box, enter \
appropriate values for the new administrative
- user in LDAP Data Interchange Format (LDIF). For example, the \
following entry would set up an
- administrative user named \
<literal>superroot</literal>, in the organizational unit named \
<literal>
- people</literal>people, associated with the \
example.com domain:
- \
<literal>uid=superroot,ou=people,dc=example,dc=com</literal>.</para>
- </step>
- <step>
- <para>Click Save to save the changes that you've made. \
</para>
- </step>
- <step>
- <para>If the account doesn't already exist in OpenAM or on a \
connected directory server, you'll need to
- create it. To do so, select Access Control &gt; / (Top Level \
Realm) &gt; Subject &gt; User &gt; New.
- In the New User window that appears, create the new user. Make sure \
to enter an appropriate password
- and make that user Active. The ID for that new user is the user \
name.</para>
- </step>
- <step>
- <para>As noted earlier, you'll also need to make sure that the \
corresponding account on the directory server
- has at least CN=Directory Manager privileges. If you're using \
OpenDJ, refer to the chapter on
- <citetitle>Configuring Privileges &amp; Access \
Control</citetitle> in the
- <link xlink:show="new"
</del><ins>+ <step>
+ <para>Under Access Control &gt; / (Top Level Realm) &gt; Subjects \
&gt; User, + select the name of the current top-level administrative \
user.</para> + </step>
+
+ <step>
+ <para>In the page that appears, navigate to the Password row and click \
Edit.</para> + </step>
+
+ <step>
+ <para>In the window that appears, enter the desired new password in the \
New Password + box and reenter password.</para>
+ </step>
+
+ <step>
+ <para>Click OK to implement the change. If you want to cancel, click Close \
or + just close the window.</para>
+ </step>
+
+ <step>
+ <para>You'll also need to change the password for the administrator on the
+ directory server. If you are
+ using OpenDJ, refer to the <link xlink:show="new"
+ \
xlink:href="${opendjDocBase}/admin-guide/#troubleshoot-reset-admin-passwords">
+ <citetitle>OpenDJ Administration Guide</citetitle> section on \
Resetting Administrator Passwords</link>. + If you are using a different \
directory server, you will have to refer to the + documentation for that \
server.</para> + </step>
+ </procedure>
+
+ <para>In the following steps, you will identify the new administrative user \
by + assigning it to the \
<literal>com.sun.identity.authentication.super.user</literal> + \
directive. You may also need to create an OpenAM account for the new administrative \
user. + Don't forget to make sure that new administrative account is configured in \
the + corresponding directory server such as OpenDJ.
+ </para>
+
+ <procedure xml:id="change-amadmin-uid">
+ <title>To Change the Account Name for the Top-Level \
Administrator</title> +
+ <step>
+ <para>Log in to the OpenAM console as the administrator, normally \
<literal>amadmin</literal>.</para> + </step>
+
+ <step>
+ <para>Navigate to the page where you can set the properties for different \
classes. Select + Configuration &gt; Servers and Sites &gt; \
<replaceable>Server Name</replaceable> &gt; Advanced.</para> + \
</step> +
+ <step>
+ <para>In the Advanced Properties window that appears, click \
Add.</para> + </step>
+
+ <step>
+ <para>You'll see blank entries in the end of the list of Property Names \
and + Property Values. In the empty Property Name text box, enter
+ <literal>com.sun.identity.authentication.super.user</literal>.</para>
+ </step>
+
+ <step>
+ <para>In the corresponding Property Values test box, enter appropriate \
values + for the new administrative user in LDAP Data Interchange Format (LDIF).
+ For example, the following entry would set up an
+ administrative user named <literal>superroot</literal>, in the \
organizational + unit named <literal>people</literal>people, \
associated with the example.com domain: + \
<literal>uid=superroot,ou=people,dc=example,dc=com</literal>.</para>
+ </step>
+
+ <step>
+ <para>Click Save.</para>
+ </step>
+
+ <step>
+ <para>If the account does not already exist in OpenAM or on a connected
+ directory server, you'll need to create it. To do so, select
+ Access Control &gt; / (Top-Level Realm) &gt; Subject &gt; User \
&gt; New. + In the New User window that appears, create the new user. Make \
sure to enter + an appropriate password and make that user Active. The ID for \
that new user + is the user name.</para>
+ </step>
+
+ <step>
+ <para>As noted earlier, you'll also need to make sure that the \
corresponding + account on the directory server has at least CN=Directory Manager \
privileges. + If you're using OpenDJ, refer to the chapter on
+ <citetitle>Configuring Privileges and Access Control</citetitle> in \
the + <link xlink:show="new"
</ins><span class="cx"> \
xlink:href="${opendjDocBase}/admin-guide/#chap-privileges-acis"> \
</span><span class="cx"> <citetitle>OpenDJ Administration \
Guide</citetitle></link>.</para> </span><del>- \
</step>
- </procedure>
</del><ins>+ </step>
+ </procedure>
</ins><span class="cx">
</span><del>- <para>If you do change the account name of the top-level \
administrative account, you should be aware that the
- original <literal>amadmin</literal> account is \
"hard-coded" in the source code of several files.
- The code in these files may affect the functionality of a top-level \
administrative user
- with a name other than \
<literal>amadmin</literal>.</para> </del><ins>+ <para>If you \
do change the account name of the top-level administrative account, + you should be \
aware that the original <literal>amadmin</literal> account is + \
hard-coded in the source code of several files. + The code in these files may \
affect the functionality of a top-level administrative user + with a name other \
than <literal>amadmin</literal>.</para> </ins><span class="cx">
</span><del>- <para>One of the improvements that we plan to make to \
OpenAM is to eliminate these instances of hard-coding.
- Until we make such improvements, the amadmin user would retain privileges \
related to the LoginState and some
- IDM-related classes.</para>
</del><ins>+ <para>One of the improvements that we plan to make to OpenAM is \
to eliminate + these instances of hard-coding.
+ Until we make such improvements, the amadmin user would retain privileges
+ related to the LoginState and some OpenIDM-related classes.</para>
+ </section>
</ins><span class="cx">
</span><del>- </section>
-
</del><span class="cx"> </chapter>
</span></span></pre>
</div>
</div>
<div id="footer">Copyright (c) by ForgeRock. All rights reserved.</div>
</body>
</html>
_______________________________________________
CommitOpenAM mailing list
CommitOpenAM@forgerock.org
https://lists.forgerock.org/mailman/listinfo/commitopenam
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic