I have a typical OpenAM, OpenIDM, and OpenDJ federation set-up and able to authenticate based on the user name and password and allow access to the service provider. I want to extend the authentication part by checking the value of one of the attributes ‘UserStatus’. So, to be authenticated and allowed access, apart from user name and password, UserStatus must be ‘active’. If the UserStatus is Error or in-active, the user should not be authenticated.
Maybe I am missing something, but what you describe is the out-of-the-box behaviour in OpenAM.
If you go to the OpenAM admin console, loginas administrator, go to the realm where your users are, list the subjects, select one of the users and then set the “User Status” to inactive, the user won’t be able to authenticate.
The attribute in LDAP used to set the user active or inactive is “inetuserstatus” by default, but you can change that in the DataStore configuration.