OpenAM – Lastlogin timestamp is not getting updated (during IDP initiated flow)

This topic has 4 replies, 3 voices, and was last updated 7 months, 3 weeks ago by Scott Heger.

  • Author
  • #28730


    I have configured OpenAM as SP. SSO and JIT work fine with the configured IDP. Since the user login to the system is via IDP and not SP (openAM), the last login attribute is not getting updated in OpenAM-LDAP.

    As per our company policy – If the user’s last login timestamp is more than 3 months then we deactivate the users from OpenAM. Currently, this is not achievable as the last login timestamp is not available to users who are logging in via IDP.

    Is there a way to get this attribute in LDAP when the user logs in via Idp?

    Steps to replicate the issue:

    1. Configure OpenAM as SP
    2. Configure another as Idp
    3. Login to Idp.
    4. Click on the dashboard tile and access the application configured in SP.
    5. Verify the lastlogin timestamp is missing in SP.

     Bill Nelson

    The last login property is stored in DS (not AM). AM doesn’t update the last login property unless you make that part of your journey (AM 7) or post auth plugin (pre AM 7). The last login property is updated by the directory server if you have that property enabled in your password policy.

    See here for more details:


    Hi Bill,

    Many thanks for your response. I agree with you that the last login time is set by LDAP/OpenDS and set by password policy. Unless a user authenticates to our LDAP this won’t get updated. We will explore the options of writing a PAP to implement this feature.

    I also wonder if Manage NameID service as detailed in the doc (section 2.5) is an option to use terminate a user in SP based on a request from IDP.

    However, our Idp is not using ForgeRock and I am not sure if they will be performing the below. The IDP won’t have idpMNIRequestInit.jsp at their end to call in the below URL. In the document, I believe both SP and Idp are considered from Forgerock and can use MNIRequestInit.jsp. What if the IDP doesn’t support NameID service? Am I missing something here?

    To initiate the process of terminating account federation from the identity provider, access the
    following URL with at least the query parameters shown.

    Basically, we are trying to synchronize data from both Idp and SP. If an email gets changed in IDP it must get updated in SP. If a user is terminated in IDP, he must get terminated in IDP. Is NameID service a solution to this?


    Wondering if the improvement detailed in the ticket is related to the issue I detailed in the initial post?

     Scott Heger

    How you achieve this will depend on how you have your SAML configuration set up in AM. You mention AM is the SP. How is that integrated into your authentication flow? Is it pure SAML where you kick off authentication via either IDP or SP initiated SAML requests? Are you using the SAML2 authentication module as part of an Authentication Chain? Are you using the SAML2Node in an Authentication Tree? Depending on your set up you can achieve this by having some custom code write to your LDAP store and update a custom attribute for tracking last login time. If pure SAML look into a custom SP Adapter. If module/chain, look into a PAP. If node/tree, look into a custom node.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?