If this blog helped you in any way (professionally), please donate a dollar here

Thursday, July 10, 2014

Client IP based session validation in OpenAM

In Single Sign On (SSO), the cookie itself is the sole mode of validation for most systems.

With OpenAM, one can assign extra attributes to the session other than the cookie. Validation based on client IP addresses can be done as well. What this means is that, when the IP address changes of an user, the user has to login to OpenAM (or Relying Party/Service Provider )  again, since his session is no longer valid for the IP.

So this is how one would do this:

Go : Configuration -> Server & Sites -> Default server settings

 Then to advanced:


Then add this property:

com.iplanet.am.clientIPCheckEnabled and set it to true

To read:
http://docs.oracle.com/cd/E19462-01/819-4671/gbaxi/index.html

References:
ForgeRock documentation about X-Forwarded-For

No comments:

Post a Comment