Last Updated: December 20, 2024
LoginTC OpenAM Connector allows administrators to incorporate two-factor authentication within their OpenAM authentication policies.
Explore how LoginTC integrates with OpenAM below.
Subscription Requirement
Your organization requires the Starter or Professional plan to use the LoginTC OpenAM Connector. Explore Pricing Plans
The following diagram illustrates a seamless LoginTC OpenAM Connector integration into an existing corporate network protected by OpenAM. The circled numbers indicate the step in a typical authentication flow.
The LoginTC OpenAM Authentication module is installed in your OpenAM server. It can be configured as a stand-alone policy or added to an existing authentication chain. When a user attempts to access a protected resource, the request is intercepted and the configured authentication policy is applied. When the LoginTC Authentication module is activated an out of band request is sent to the users mobile app. The request will launch the LoginTC app and gives the user an opportunity to approve or deny the request and then enter their PIN or passcode. The user’s selection is sent back to module which will succeed in the OpenAM authentication chain if the credential was unlocked, otherwise the authentication will fail.
Prefer Reading a PDF?
Download a PDF file with configuration instructions:
Enterprise subscription required
Please contact our sales team for trial access to the LoginTC OpenAM Connector.
Before proceeding, please ensure you have the following:
Sign Up for an administrator account at LoginTC Admin Panel.
Protecting a corporate network or application is done by creating a new domain in your organization. There are various types of domains specific to what you are trying to protect. In this case, since the protected resource is controlled by OpenAM, use an OpenAM domain.
Steps to create a new OpenAM domain:
Use Default Domain Settings
Domain settings can be modified at any time by navigating to Domains > Your Domain > Settings.
The LoginTC OpenAM Connector contains:
Before you begin, log into your OpenAM server via ssh:
mkdir -p /opt/logintc
cd /opt/logintc
unzip logintc-openam-connector-x.x.x.zip
Enterprise subscription required
Please contact our sales team for trial access to the LoginTC OpenAM Connector.
Before you begin, log into your OpenAM server via ssh:
cd /opt/logintc
sudo service tomcat stop
./install.sh /opt/logintc/logintcauth.jar /usr/share/tomcat/webapps/openam
First argument is the path to the `logintcauth.jar`
Second argument is the path to the OpenAM exploded WAR
sudo service tomcat start
http://www.myopenam.com:8080/openam
ssoadm.disabled
with value false
sudo service tomcat restart
http://www.myopenam.com:8080/openam/ssoadm.jsp
/opt/logintc/amAuthLoginTCAuth.xml
and paste it in the form and click Submit
http://www.myopenam.com:8080/openam/ssoadm.jsp
com.cyphercor.logintc.openam.LoginTCAuth
and click Submit
sudo service tomcat restart
http://www.myopenam.com:8080/openam
LoginTC
LoginTC
as TypeLoginTC
in the Modules list to configure the module
Property | Explanation |
---|---|
Authentication Level |
The authentication level associated with this module |
Admin Host |
LoginTC Admin host |
Organization API Key |
The 64-character API key associated with your LoginTC Admin organization |
Domain ID |
The 40-character ID associated with your OpenAM domain |
Timeout |
Time in seconds to wait for authentication |
sudo service tomcat restart
One-way user synchronization of users from your OpenAM datastore directory to your OpenAM domain in LoginTC Admin is done by running logintc-sync
.
logintc-sync
will connect via REST to your OpenAM installation and sync users according to settings in users.cfg
and fetch users from your directory using the filter
query. If you wish to keep your user directory in sync with the users in your OpenAM domain in LoginTC Cloud, you may periodically run this command (without the --dry-run
flag).
Go to conf in the installation directory:
cd /opt/logintc/conf
Copy the sample file as a template for your configuration file:
cp sample-users.cfg users.cfg
Open the file to modify its contents:
vi users.cfg
# openam
openam.protocol=http
openam.host=www.myopenam.com
openam.port=8080
openam.path=/openam
openam.admin.username=amadmin
openam.admin.password=password
openam.realm=/
openam.attr.username=uid
openam.attr.name=cn
openam.attr.email=mail
openam.filter.objectclass=person
# logintc
logintc.apikey=
logintc.domainid=
OpenAM configuration values:
Property | Explanation | Examples |
---|---|---|
openam.protocol |
The protocol of your OpenAM server | http or https |
openam.host |
The host of your OpenAM server | www.myopenam.com |
openam.port |
The port of your OpenAM server | 8080 |
openam.path |
The path to your OpenAM installation | /openam |
openam.admin.username |
The username of a user with admin privileges in the realm | amadmin |
openam.admin.password |
The password of the above account | password |
openam.realm |
The realm in which the module is installed | / |
openam.attr.username |
The attribute containing the user’s username | uid |
openam.attr.name |
The attribute containing the user’s real name | cn |
openam.attr.email |
The attribute containing the user’s email | |
openam.filter.objectclass (optional) |
The object class of the users | person |
LoginTC configuration values:
Property | Explanation |
---|---|
logintc.apikey |
The 64-character key associated with your LoginTC Admin organization. |
logintc.domainid |
The 40-character id associated with your OpenAM domain. |
The API key is found on the LoginTC Admin Settings page. The Domain ID is found on your domain settings page.
Example:
$ cd /opt/logintc/bin
$ sudo ./logintc-sync /opt/logintc/conf/users.cfg
Output:
Processing /opt/logintc/users.cfg...
Querying OpenAM Rest service [http://www.myopenam.com:8080]
Found 2 users
+-------+----------+----------+----------------------+
| Realm | Username | Name | Email |
+-------+----------+----------+----------------------+
| / | john.doe | John Doe | john.doe@example.com |
| / | jane.doe | Jane Doe | jane.doe@example.com |
+-------+----------+----------+----------------------+
Synchronizing 2 users...
Done.
Check that your users were added to your domain by viewing them in LoginTC Admin Panel.
There are several other options for managing your users within LoginTC:
Once you have synchronized some users you can test the LoginTC module.
Navigate to www.myopenam.com:8080/openam/UI/Login?module=LoginTC
Enter the test user’s username. You should now receive an authentication request on your mobile device. After authenticating you will be shown OpenAM user data.
Authentication ChainingNow that everything is tested you will want to create or modify an existing authentication chain to include the LoginTC.
http://www.myopenam.com:8080/openam
LoginTC
and click OK
REQUIRED
sudo service tomcat restart
www.myopenam.com:8080/openam/UI/Login?service=LoginTC
You can add other authentication modules to make chains. For example the following will first prompt for a username and password and then request a 2nd factor using the LoginTC:
Sample flow:
User EnrolmentOnce users have been synched to your OpenAM domain and you have tested your setup you can begin the process of user provisioning.
As seen in the Testing Installation section, users are issued a confirmation code which they use to load a new token on their mobile app. The Issue Token button will send an email to your user with full instructions on how to load a token. Sample email:
Additional Resources