Open AM Tutorial

This is the page that will help out with login or logout topics.


A user interface is available for logging in: https://endpointOpenam/auth/UI/Login.

Programatically, the following methods exist for obtaining a valid SAML session:

GET on endpointOpenAM/auth/UI/Login?service=hmgUsernamePassword&IDToken1=emailValue&IDToken2=password.

This will return a cookie in the response which contains the actual token. The following is some Groovy code to get the token from the response:

messageExchange.responseHeaders.each { setCookie ->
  if (setCookie.key.equalsIgnoreCase("Set-Cookie")) {
    setCookie.value.each { setCookieValue ->
      if (setCookieValue.contains("iPlanetDirectoryPro")) {
        ssoToken = setCookieValue.tokenize('=').get(1).tokenize(';').get(0)

Skipping the certificate validation in java

As OpenAM installations usually allow connections over https. In case you want to bypass the mandatory certificate validation, the following code will prove helpful for creating a REST client that accepts all certificates:

    TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() {
            return null;

        public void checkClientTrusted(X509Certificate[] certs,
                String authType) {

        public void checkServerTrusted(X509Certificate[] certs,
                String authType) {
    } };

    // Install the all-trusting trust manager
    SSLContext sc = SSLContext.getInstance("TLS");
    sc.init(null, trustAllCerts, new SecureRandom());

    Client client = ClientBuilder.newBuilder().sslContext(sc)
            .hostnameVerifier(new HostnameVerifier() {
                public boolean verify(String hostname,
                        SSLSession session) {
                    return true;

OpenAM REST API for authentication

Getting the SSO token is a simple POST request on something like this: You have to have in the header the following information:

"X-OpenAM-Username: usernameValue" "X-OpenAM-Password: passwordValue" "Content-Type: application/json"

The request body should be empty.

In case you want to want to be more specific in your request, like specify the login module or authentication chain, you have to modify your request as described here:

    WebTarget webTarget =;

    WebTarget resourceWebTarget = webTarget.path(loginPath);

    Invocation.Builder invocationBuilder = resourceWebTarget
    invocationBuilder.header("X-OpenAM-Username", email);
    invocationBuilder.header("X-OpenAM-Password", password);

    Response authTokenResponse =
            "", MediaType.APPLICATION_JSON));

    if (authTokenResponse.getStatus() == Response.Status.OK
            .getStatusCode()) {
        System.out.println("First post returned the json web token OK");

        ssoToken = (authTokenResponse.readEntity(LoginResponse.class)).tokenId;

    } else {
        System.out.println("First post returned "
                + authTokenResponse.getStatus());