Can't set module options in authentication chain

This topic has 6 replies, 4 voices, and was last updated 6 years, 2 months ago by Peter Major.

  • Author
  • #9335

    We have just started to evaluate OpenAM, and I have run into a problem with a fresh install of OpenAM 13.0.0. I’m trying to create a chain with two modules and shared state for username and password. Everything seems fine when I insert and save the shared state options, but after changing to another page and back again, the number of options has changed to 47 or some other high number. If i try to edit the options, it’s empty. No options are set. Trying to re-add the option at this point does nothing.

    When testing the chain, I have to re-enter username and password if I don’t authenticate to the first module.

    The number of options the gui reports seems to correspond with the number of letters in the option names and values.

     Peter Major

    Sounds like a rather odd behavior, do you have config exports/screenshot for this? I guess as a workaround you could use ssoadm to set the chain settings instead.


    Experiencing the same issue.
    Is it registered in
    ..could not find any open bugs searching for “chain options”

    My configured authentication chain “Defender”:

    > .\ssoadm.bat get-auth-cfg-entr -m defender -e xxx -u amadmin -f C:\openam-tools\pwd.txt
    Authentication Configuration's entries:
    [name=AD] [flag=REQUISITE] [options=iplanet-am-auth-store-shared-state-enabled=true]
    [name=DevID-Match] [flag=SUFFICIENT] [options=]
    [name=Defender] [flag=REQUISITE] [options=iplanet-am-auth-shared-state-enabled=true,iplanet-am-auth-shared-state-behavior-pattern=useFirstPass]
    [name=DevID-Save] [flag=REQUIRED] [options=]

    Chain shown in XUI:
    XUI - auth chain listed

    Module options for first module:
    module options for first module in chain


    Additional observation: the count of options per module is just the length of each options string:
    “iplanet-am-auth-store-shared-state-enabled=true” is 48 characters long
    “iplanet-am-auth-shared-state-enabled=true,iplanet-am-auth-shared-state-behavior-pattern=useFirstPass” is 100 characters long


    My current workaround is to use ‘ssoadm update-auth-cfg-entr’ for chain options:

    Windows example with inline config:
    .\ssoadm.bat update-auth-cfg-entr -m myChain -e myRealm -u amadmin -f C:\openam-tools\pwd.txt -a "myAuthModule|REQUISITE|iplanet-am-auth-shared-state-enabled=true iplanet-am-auth-shared-state-behavior-pattern=tryFirstPass"

    Windows Powershell ssoadm example with config file:

    $spec = @"
    Defender|REQUISITE|iplanet-am-auth-shared-state-enabled=true iplanet-am-auth-shared-state-behavior-pattern=useFirstPass
    $spec | out-file -FilePath "c:\temp\ac-myChain.conf" -Encoding ASCII
    .\ssoadm.bat update-auth-cfg-entr -m myChain -e myRealm -u amadmin -f C:\openam-tools\pwd.txt -D c:\temp\ac-myChain.conf

    Hello All,

    I have the same problem and I can confirm that setting it using ssoadmin works.

     Peter Major
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?