How to use our own login page instead of OpenAM default login page?

Tagged: ,

This topic has 35 replies, 9 voices, and was last updated 5 years, 3 months ago by [email protected].

  • Author
  • #12422

    Okay @rarondini . I am asking the same coz i tried it myself many times but still i am not able to configure policy. And being stuck on same issue for two days can make you unrest and crazy. May be i am sounding kiddo but i need supervision on what i am doing wrong or can have demo video of authorization , that will be a great help..

     Rogerio Rondini

    Are you able to use OpenDJ as identity store instead of DB Table ?

    If so, you will not need to take care of datastore group configuration so that it is pretty easy. Using the OpenAM EndUser page itself you will be able to create groups and assign users to group. After that you will see in the Policy Configuration page/Subject Group field all groups that you have created.

    I think it would be better for a test and understanding of how things works. After all be workin with OpenDJ you can try to back to DB Datastore and figureout group configuration.

    Just a suggestion.


    @rarondini.. By God grace i am able to make policy and resources mapped to policy using my MYSQL DB.
    But now I am facing problem in hitting the REST API. Version of openam i am using is 13.0. On hitting rest API


    Results is : AUTHORIZE

    And on hitting http://localhost:8080/openam/identity/authorize/?uri=http://localhost:8085/ForgeRockSample/home/jang/jang&action=GET&subjectid=AQIC5wM2LY4SfcyRyn4iDd8R6DYnK4a6KPXE1u_cqTLVR7Q.*AAJTSQACMDEAAlNLABMzNTkwMzgzOTk4ODY2ODYwOTQwAAJTMQAA*

    Still I am getting same results |:java.lang.UnsupportedOperationException AUTHORIZE

    What is correct way to check the authorisation in openam using REST API..

     Brad Tumy


    You are using the older API … I don’t know if it’s been deprecated. See the current documentation for more information on using the current API:!/docs/openam/13/dev-guide#rest-api-authz-policy-decisions

    Here is the example curl statement from the docs:

    $ curl \
     --request POST \
     --header "iPlanetDirectoryPro: AQIC5..." \
     --header "Content-Type: application/json" \
     --data '{
        "resources": [
        "application": "iPlanetAMWebAgentService"
     }' \
    [ {
      "resource" : "",
      "actions" : {
      "attributes" : {
      "advices" : {
        "AuthLevelConditionAdvice" : [ "3" ]
    }, {
      "resource" : "",
      "actions" : {
        "POST" : false,
        "GET" : true
      "attributes" : {
        "cn" : [ "demo" ]
      "advices" : {
    } ]


    I am trying to use my own login page instead of OpenAM default page using facebook module.So far I am able to do the following:

    1. I have successfully POST:
    In my response I get authId,NTID in response cookie and redirectURL.

    2. I did a GET on my redirectURL and successfully obtained code and state from facebook.

    3.this is where my problem begins.Now I am trying to POST : again with my NTID and authId in cookie and below json object:


    this returns me 401 unauthorized error.

    how do I send my last POST call to get the token ID or I am missng anything.Please Help.

    Priya Jain


    Hi Rondini,

    In your post about a custom login site in a SAML2 flow…

    You just need to remember to setup the right cookie (iPlanetDirectoryPro) and redirect to IDP end point like “../openam/SSOPOST/metaAlias/idp” or “../open/SSORedirect/metaAlias/idp” after authentication, and leave the rest of the service to OpenAM.

    Are you suggesting that we have the SP first redirect the user to our custom login page to authenticate? If so, do we first need to capture the SAML2.0 parameters in the post body like ‘RelayState’ and ‘SAMLRequest’? I assume we do, so that we can later replay them to /openam/SSOPOST/metaAlias/idp after successful authentication. The custom login site would temporarily store these in session state. Does this sound right? In a sense, we’re asking the user to log into our custom page, independent of the SAML2.0 process, and then we resume the SAML2 handshake after successful authentication. Does this sound right?

    I’m also trying to figure out what happens if we still have the iPlanetDirectoryPro cookie in the browser when they visit the custom login site. Should we attempt to validate that first in order to avoid an unncessary authentication? Does the /openam/SSOPOST/metaAlias/idp endpoint do anything with that session cookie? Any guidance is appreciated..

Viewing 6 posts - 31 through 36 (of 36 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?