chap-endpoints.xml revision f94f67347e3429cfcf6c0939c81b3ddb18ceba07
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE chapter [
<!ELEMENT chapter (title|indexterm|para|itemizedlist|section)*>
<!ATTLIST chapter
xml:id CDATA #REQUIRED
xmlns CDATA #REQUIRED
version CDATA #REQUIRED
xml:lang CDATA #REQUIRED
xmlns:xsi CDATA #REQUIRED
xsi:schemaLocation CDATA #REQUIRED
xmlns:xlink CDATA #REQUIRED
xmlns:xinclude CDATA #REQUIRED>
<!ELEMENT title (#PCDATA)>
<!ELEMENT indexterm (primary|secondary|tertiary)*>
<!ELEMENT primary (#PCDATA)>
<!ELEMENT para (literal|link|citetitle|replaceable)*>
<!ELEMENT literal (#PCDATA)>
<!ELEMENT link (citetitle)*>
<!ATTLIST link
xlink:href CDATA #REQUIRED
xlink:role CDATA #IMPLIED
xlink:show CDATA #IMPLIED>
<!ELEMENT itemizedlist (para|listitem)*>
<!ELEMENT listitem (para)*>
<!ELEMENT citetitle (#PCDATA)>
<!ELEMENT section (title|indexterm|para|variablelist)*>
<!ATTLIST section
xml:id CDATA #REQUIRED>
<!ELEMENT secondary (#PCDATA)>
<!ELEMENT tertiary (#PCDATA)>
<!ELEMENT variablelist (varlistentry|para)*>
<!ELEMENT varlistentry (term|listitem)*>
<!ELEMENT term (literal)*>
<!ELEMENT replaceable (#PCDATA)>
]>
<chapter xml:id='chap-endpoints'
xmlns='http://docbook.org/ns/docbook'
version='5.0' xml:lang='en'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
xmlns:xlink='http://www.w3.org/1999/xlink'
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
<title>Service Endpoints</title>
<indexterm><primary>Endpoints</primary></indexterm>
<para>A service endpoint is a URL which serves as the access port for a web service. It may be a standard HTML-based
web page, or it may be a *.jsp page.</para>
<!--
I'd define an endpoint as the entry point to a web service.
Endpoint seems to be a term in web services, http://docs.oracle.com/javaee/5/api/javax/xml/ws/Endpoint.html
If there's a better word for these, let's use it.
Figure 2.3
-->
<para>As every service endpoint is a potential security issue, it may be appropriate to
restrict access to some of those endpoints that you do not use. But be careful.
Some endpoints, such as <literal>isAlive.jsp</literal> in the main /path/to/tomcat/webapps/openam directory, are
essential and should not be blocked or changed.</para>
<para>Given the large number
of available endpoints, this chapter has been organized primarily by subdirectory.
Most of the directories were created when the OpenAM war archive was copied to the appropriate web application
container, such as the webapps/ subdirectory. </para>
<!--
Is there a webapps/ subdirectory in all the containers we support?
Where these things end up on the file system probably depends on the container.
mj - made language more generic
-->
<!-- You only need to define the indexterm at most once per section. mj - second indexterm deleted -->
<para>OpenAM may expose several hundred service endpoints, listed in this chapter.
Each endpoint shown is listed relative to the deployment URL.
For example, if you have deployed OpenAM at <literal>https://openam.example.com:8443/openam/</literal>,
<para>OpenAM includes two types of endpoints. One is based on URL patterns, shown with the <literal>url-pattern</literal>
tag. You can find these patterns in the web.xml file, in the /path/to/tomcat/webapps/openam/WEB-INF directory.
The other type is based on *.jsp pages, starting in the main /path/to/tomcat/webapps/openam directory, and also
in many associated subdirectories. If you copied or created a WAR archive to a name other than <literal>openam.war</literal>,
as described in the installation guide, substitute for the second <literal>openam</literal> accordingly.</para>
<para>Some of these endpoints can be applied directly to a URL when you've connected to the OpenAM server;
for example, if you've configured OpenAM on <literal>http://idp.example.com:8080/openam</literal>, you
can log in and review debug options by navigating to <literal>http://idp.example.com:8080/openam/Debug.jsp
</literal></para>
<para>Other endpoints can only be used when called by some option in the OpenAM console. For example, while the
AgentAdd.jsp endpoint exists in the console/agentconfig subdirectory, you would get an error by navigating directly
to a URL such as <literal>http://sp.example.com:8080/openam/console/agentconfig/AgentAdd.jsp</literal>. For that
particluar endpoint, you'll have click through the options required to add an agent. (Access Control >
<replaceable>realm name</replaceable> > Agents > Agent > New)</para>
<para>In general, this chapter does not include dynamic endpoints, such as those that may include security
tokens. The endpoints described in this chapter are based on files included in the installation of an OpenAM
server.</para>
<para>There have been two security advisories related to OpenAM endpoints: <link xlink:show="new"
xlink:href="http://www.forgerock.org/security_advisory1.html">OpenAM Security Advisory #201203</link> and
<link xlink:show="new"
xlink:href="http://www.forgerock.org/security_advisory2.html">OpenAM Security Advisory #201204</link>
</para>
<itemizedlist>
<para>Several options are available for endpoints at risk. Recommendations from the noted security advisories
include the following:</para>
<listitem>
<para>Filter requests to prevent or restrict access to vulnerable endpoints with a reverse proxy or
equivalent hardware device. Such options can be configured to limit access by IP address or
fully-qualified domain name.</para>
</listitem>
<listitem>
<para>Use a patch. If available, download links should be listed in the security advisory. The patch
may be limited to one or more endpoint files.</para>
</listitem>
<!--
Somewhere in here, you'll need to specify which are safely removable.
Also, how do we deal with that for upgrades? Sys admins should script this, right?
Or should someone develop a hardening script?
-->
<listitem>
<para>Remove access from the configuration. If a problematic endpoint is configured in the web.xml file of
the aforementioned WEB-INF subdirectory, you can remove the section that points to that endpoint.</para>
</listitem>
<listitem>
<para>Remove the endpoint file from the configuration. Some endpoint files, such as proxy.jsp or ssoadm.jsp,
are not essential to the basic operation of OpenAM.</para>
</listitem>
</itemizedlist>
<para>Of course, you can take additional steps to help secure your OpenAM deployment. For more information, see the
the chapter on <link xlink:href="admin-guide#chap-securing"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Securing OpenAM in the Administration Guide</citetitle></link>.</para>
<!--
Use olinks for interdocument links. Here:
For more information, see the <citetitle>Administration Guide</citetitle> chapter on
<link xlink:href="admin-guide#chap-securing xlink:role="http://docbook.org/xlink/role/olink"
><citetitle>Securing OpenAM</citetitle></link>.
More at https://wikis.forgerock.org/confluence/display/devcom/Core+Documentation+Cookbook#CoreDocumentationCookbook-Links
mj - thank you, correction made.
-->
<section xml:id="jsp-endpoints">
<title>JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
</indexterm>
<para>The OpenAM WAR archive includes *.jsp files in a number of different categories. Many are associated with the
applicable subdirectory, such as console/realm. The following sections will examine each *.jsp file, divided by
subdirectories.</para>
<para>In some highlighted cases, the noted *.jsp file appears in the code for one or more .java files. If you remove
the noted *.jsp file from the container, there is a risk that will break some functionality within OpenAM. In other
cases, such as any files related to the GUI installation wizard, the applicable *.jsp file can be safely removed
from a production system.</para>
</section>
<!-- Mark, I guess I need to do something else to set up tertiary numbering? I was hoping that Main Directory
JSP Endpoints would be section 1.1.1, User Interface JSP Endpoints would be section 1.1.2. It's probably not
a huge flaw... -->
<section xml:id="maindirectory-jsp-endpoints">
<title>Main Directory JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Main Directory</tertiary>
</indexterm>
<para>If you're working in Tomcat, you'll find the endpoints in this subsection in the
/path/to/tomcat/webapps/openam directory. For other web application containers, you may find the endpoints
in a different openam subdirectory.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Supports debug logging by service. For more information, see the <citetitle>Administration Guide</citetitle>
chapter on <link xlink:href="admin-guide#chap-monitoring#log-debug-selective-capture"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Debug Logging by Service.</citetitle></link></para>
</listitem>
</varlistentry>
<!-- Don't close the variablelist for each entry. -->
<varlistentry>
<listitem>
<para>Enables access to a page that encodes text passwords. The algorithm is based on PBEWithMD5AndDES,
password-based encryption (PBE) using the MD5 message-digest algorithm, configured with the data encryption
standard (DES)</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports requests for server information. As getServerInfo.jsp is encoded in some .java files, you should
retain getServerInfo.jsp in your deployment.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Verifies the current status of the OpenAM service; the "Server is ALIVE:" message also verifies
activity on OpenAM systems behind load balancers. This can be a useful tool in a production environment.</para>
<!-- Verified with Allan -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Displays a permission error message, used by the GUI-based installation wizard.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports access to a remote identity provider, through the federation broker.</para>
<!-- Per the wiki, consistent with the comments in proxyidpfinder.jsp -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Lists active services within OpenAM. The details shown on this page can be used with the
<literal>ssoadm</literal> command to create a second OpenAM server with matching services. Be aware, the
amadmin administrative user is hard-coded into this file. If you change the identity of the administrative user
to something other than amadmin, that user won't have access to services.jsp.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies configuration information for the system, including the URL, the OS, the Java VM, the
configuration directory, and more.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports GUI-based access to the options associated with the <literal>ssoadm</literal> command.
The ssoadm.jsp file is disabled by default. Instructions for enabling this feature are available from
the <citetitle>Administration Guide</citetitle> entry on <link xlink:show="new" xlink:href=
"admin-guide#chap-admin-tools#openam-ssoadm-jsp-overview"
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>OpenAM ssoadm.jsp.</citetitle></link></para>
</listitem>
</varlistentry>
<para>All of the validat*.jsp files near the end of this list relate to testing and verifying federation. It requires
at least one identity
provider (IDP) and one service provider (SP). At least one of these components must be configured remotely to set up
a valid Circle of Trust (COT). If federation does not apply to your configuration, the validat*.jsp files
are not essential to your configuration.</para>
<varlistentry>
<listitem>
<para>May be called by the validator.jsp or validatorMain.jsp files, to display progress in verifying the status
of federation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Refers to the ValidateSAML2 function to identify the realm, IdP and SP for the federation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Starts an "Authentication Failed" message.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Sets up a federation connectivity test. If you've set up a Federation Circle of Trust, this file is
accessible from the "Test Federation Connectivity" option in the main OpenAM console.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Opens a "Connectivity Test Results" window, specifying the status of a federation circle of trust.
Tests relate to IdP authentication, SP authentication, account linking, single log out, single sign on,
and account unlinking.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds information to validator.jsp and validatorMain.jsp with federation status information as it relates
to the currently configured circle of trust.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="ui-jsp-endpoints">
<title>User Interface JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>User Interface</tertiary>
</indexterm>
<para>The endpoints in this section can be found in several com_sun_web_ui/jsp/ subdirectories. These endpoints
appear to
relate to JavaHelp; per OPENAM-806, this functionality was removed from OpenAM, starting with version 9.5.3.
Thus, the endpoints in this section, with one possible exception (Masthead.jsp in the
<!-- Am I being too honest with this paragraph? -->
<variablelist>
<varlistentry>
<listitem>
it calls a DateTimeWindowViewBean class; the corresponding .java file does not
exist in the current trunk.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
it calls a HelpViewBean class; the corresponding .java file does not exist in the current trunk.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
it calls a MastheadViewBean class; the Masthead.jsp file and the corresponding
MastheadViewBean.java were last changed in 2004. (However, the Masthead.jsp file in the
</listitem>
</varlistentry>
<varlistentry>
<listitem>
ButtonNavViewBean class; the associated .java file no longer exists in the trunk.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
Help2ViewBean class; the associated .java file no longer exists in the trunk.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
Help2ViewBean class; the associated .java file no longer exists in the trunk.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
Help2ViewBean class; the associated .java file no longer exists in the trunk.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
NavigatorViewBean class; the associated .java file no longer exists in the trunk.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
TableViewBean class; the associated .java file no longer exists in the trunk..</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
WizardWindowViewBean class, which appears to be unused by any other .jsp file.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="default-authentication-configuration-jsp-endpoints">
<title>Default Authentication JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Default Authentication Configuration</tertiary>
</indexterm>
<!--
Perhaps given this you should have the first indexterm at the top of the chapter be:
<indexterm><primary>Endpoints</primary></indexterm>
-->
<para>Many of the .jsp files in this category can be modified to help you modify the messages that appear to users
in the OpenAM console. Standard messages for most of these endpoints can be found in the amAuth.properties and
subdirectory.</para>
<!-- For each service endpoint sorted alphanumeric: URI, description -->
<variablelist>
<varlistentry>
<listitem>
<para>Specifies an error page for account expiration. The message
displayed to the user can be modified in the amAuthUI.properties file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Option to Exception.jsp; called if there is an existing resource bundle, as specified in
AuthExceptionViewBean.java.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies an error page for authentication errors. The message
displayed to the user can be modified in the amAuthUI.properties file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the self-registration module, which can be configured in the OpenAM Console, under
Access Control > Realm Name > Authentication > Module Instances. The default disclaimer is
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the self-registration module, which can be configured in the OpenAM Console, under
Access Control > Realm Name > Authentication > Module Instances. The default disclaimer_denied message is
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes the following error message: "Authentication Service is not initialized." Cited by several
other .java files in the code, so it should not be removed in a secure deployment..</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used to specify an issue with the authentication level. The default invalidauthlevel and contactadmin
messages can be redefined in the amAuthUI.properties file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Notes a problem with a specified user name for a cookie, which presumably does not exist in the
relevant domain. The default cookie.notpersistent and contactadmin messages can be modified in the
amAuthUI.properties file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Displays a "No such Organization found" message when a domain is not defined in the OpenAM database.
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Defines the response of OpenAM to a user who enters an undefined profile. Uses the
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Provides a message in the event of a login failure. The message uses the auth.failed parameter
in the amAuthUI.properties file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a regular authentication template. As noted in the
<citetitle>Administration Guide</citetitle> entry on <link xlink:show="new" xlink:href=
"admin-guide#chap-securing#secure-openam-administration"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Securing OpenAM Administration</citetitle></link>,
the Login.jsp file may be customized for different deployments.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the message given to users when the number of sessions has hit the preconfigured limit.
The default is 5000, defined in the OpenAM console under Configuration > Servers and Sites >
Default Server Settings > Session. The message uses the session.max.limit parameter defined in the
amAuthUI.properties file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies information for the page associated with the self-registration module.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Calls text messages related to the authentication process.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes a message to a target user that he does not have access to a specified module. The message
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds a page which can be used to help customize appropriate modules.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes a warning when a user is trying to access a different realm. The message uses the newOrg.agree
parameter, as defined in the amAuthUI.properties file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the lack of a defined configuration module. The message uses the noconfig.found parameter,
defined in the amAuthUI.properties file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Shows a default template for entering an activation code.
Used by OAuth.xml for password changes. As this file is not configured for OAuth2, the file is
deprecated and may be removed from a future release.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Displays a password change screen, with an option for terms and conditions of service. As this file
is not configured for OAuth2, it is deprecated and may be removed from a future release.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Transmits the message that the target organization is not active in the OpenAM database.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the message that is sent when there's a failure in the use of the self-registration module.
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Notes a file used by other code to redirect users for events such as login failures.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Identifies the page with the self-registration template.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds a message to a user when a session has gone past its allocated login time. Uses the
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with role-based authentication. Tells a user when the required role has not been configured
for that user. Message defined by the user.not.inrole parameter, defined in the amAuthUI.prooperties
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Identifies a message sent to a user that is not currently active in the database. Message defined by
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="default-federation-jsp-endpoints">
<title>Default Federation JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Default Console</tertiary>
</indexterm>
<para>Many of the files in this config/federation/default subdirectory use the com.sun.liberty.LibertyManager
interface. In general, you'll want to keep these files in a production deployment, to support adding to and
deleting users from different Circles Of Trust (COT). Many of these files are customizable for different
organizational interfaces. Interfaces in different languages may be configured in slightly different
<!-- For each service endpoint sorted alphanumeric: URI, description -->
<variablelist>
<varlistentry>
<listitem>
<para>Supports a non-blank page for cross-domain single sign-ons; associated with a Cross-Domain Controller
(CDC) servlet.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports links to login pages of trusted identity providers.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a connection to providers that can be configured in a federation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the status of a federation request; the default response is either "The
user has cancelled account federation." or "Federation has been successfully completed with the
remote provider.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Sets up code that you can use to include a custom footer on all pages.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Sets up code that you can use to include a custom header on all pages; the default version is
configured with the OpenAM logo.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When a service provider (SP) belongs to more than one COT, this page prompts
the user to select a preferred identity provider (IDP).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies success or failure during a logout operation. Where a user has an account on multiple
providers, he may see the following message: "Unable to log the user out from one or more providers
where the user may still have active sessions."</para>
<!-- Based on messages in the code, did not check. -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports registration with a new remote provider; this endpoint is associated with
NameRegistrationDone.jsp.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Displays different messages based on a registration attempt with a remote provider. The message
varies depending on whether the request was successful, a failure, or cancelled.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Displays different messages based on a defederation attempt with a remote provider. The message
varies depending on whether the request was successful, a failure, or cancelled.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-agent-configuration-jsp-endpoints">
<title>Console Agent Configuration JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Console Agent Configuration</tertiary>
</indexterm>
<para>The JSP files in the console/agentconfig subdirectory relate to the configuration of Web Agents. To see
what is done by each JSP file, log into the console as the administrator. Select Access Control >
<replaceable>[Some Realm]</replaceable> >
Agents. Several of the options that appear corresponds to the JSP files in the target subdirectory.</para>
<para>Some of the endpoints include messages from relevant sections of the amConsole.properties file. The agents
in this directory are part of the com.sun.identity.console.agentconfig package.</para>
<para>Several endpoints relate to Web Service Client (WSC) policy agents, which secure outgoing requests and
validate incoming requests from Web Service Providers (WSP). For more information, see the chapter on
<link xlink:href="admin-guide#chap-agents"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Configuring Policy Agent Profiles</citetitle> in the Administrative Guide</link>.</para>
<para>If you are not using agent functionality such as that related to the Security Token Service (STS), the
related endpoints listed in this section may not be essential in a production deployment.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Includes a newly created web agent for a specified realm. The AgentAdd page appears in the OpenAM
console after an agent is added to a realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows an administrator to review default settings for the agent, as configured in the Inheritance
Settings page. Inheritance assumes that agent is part of a previously confiugred group.
To access Inheritance Settings, refer to the <link xlink:href="admin-guide#chap-agents#create-agent-profiles"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Creating Agent Profiles" section of the Administration Guide</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Displays information about the current configuration of an agent or an agent group,
and how it might be exported.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Shows how the information about an agent may be exported.</para>
<!-- Based on best guess, not sure how to check. -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes a newly created agent group for common web agents within a specified realm.
The AgentGroup page appears in the OpenAM console after an agent is added to a realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the display of agents that are members of a specified agent group.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables access to a form to specify a new agent to add. The same form is used for every category of
new agents configured from the OpenAM console, when you navigate to Access Control -> [Realm name] ->
Agents.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Per comments in the HomeViewBean, this file should forward requests for other agents.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes customizable options for web service clients. Accessible when you edit and then save
or export the configuration for a specific web service client.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes customizable options for web service providers. Accessible when you edit and then save
or export the configuration for a specific web service provider.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes customizable options for web service STS providers. Accessible
when you edit and then save or export the configuration for a specific web service STS provider.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of an WSP agent username and password.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports changes to an WSP agent username and password.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-ajax-jsp-endpoints">
<title>Console Ajax JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Console Ajax</tertiary>
</indexterm>
<para>The only JSP file that appears to be active in this subdirectory is AjaxProxy.jsp, which appears to be
used by several other endpoints.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Specifies an element used by several other endpoints, including ConfigureGoogleApps.jsp
and ConfigureSalesForceApps.jsp.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used by the FileUploader.jsp endpoint, described in the section on Federation Console JSP
Endpoints.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-authentication-jsp-endpoints">
<title>Console Authentication JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Console Authentication</tertiary>
</indexterm>
<para>You can find console authentication endpoints in the console/authentication subdirectory. The associated
endpoints relate to authentication settings in a realm. To access these endpoints, navigate to Access Control >
<replaceable>[some realm]</replaceable> > Authentication.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Part of the creation of a New Authentication Chain; associated with the Authentication
Chaining section of the Authentication tab for a realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies properties that might be configured under the authentication tab for a specific or
top-level realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the Core section of the Authentication tab of a specific or the top-level
realm. Includes options for Realm Attributes, Persistent Cookies, Account Lockout, and
Post-Authentication Processing.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports changes to Module Instances, under the Authentication tab of a specific or the
top-level realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the creation of a New Authentication Chain, an option available from the
Authentication Chaining section of the Authentication tab.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the implementation of a new authentication module, available from the Module
Instances section of the Authentication tab.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a change in sequence of authentication criteria; to access, select an existing
Authentication Chaining service under the Authentication tab for a specified realm.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-base-jsp-endpoints">
<title>Base Console JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Base Console</tertiary>
</indexterm>
<para>The endpoints in this subdirectory (console/base) relate to options associated with the "home page" for the
OpenAM GUI console; in essence, these are the options available when you log in as the administrative user
(typically <literal>amadmin</literal>).</para>
<variablelist>
<varlistentry>
<listitem>
<para>Defaults to the opening page for the OpenAM console.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Provides an "Invalid URL" error message.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Redirects users to the default login page; assumes no user is currently logged into OpenAM.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Endpoint that either returns success of a post or an "Invalid or Missing Input" error.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Default uncaught exception error message endpoint: "An error occurred while processing this
request. Contact your administrator."</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Displays a "You're logged in" information message.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Endpoint that closes existing windows.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a template endpoint used for messages.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies current version information, copyright notice, and licensing.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-delegation-jsp-endpoints">
<title>Delegation Console JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Delegation Console</tertiary>
</indexterm>
<para>The two service endpoints under the console/delegation subdirectory relate to the privileges associated
with configured realms.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Associated with the privileges for a realm. The privileges can be assigned for different
groups of users, as configured via Access Control > <replaceable>[realm]</replaceable> >
Subjects > Group.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports changes in properties for group privileges, described in the Delegation.jsp endpoint.
To get to these properties, select Access Control > <replaceable>[some realm]</replaceable>
> Privileges > <replaceable>[name of group]</replaceable>.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-federation-jsp-endpoints">
<title>Federation Console JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Federation Console</tertiary>
</indexterm>
<para>The JSP files in this section relate to federation, specified in the console/federation subdirectory.
Specifically, when you access the OpenAM GUI console
and click the Federation tab, the variety of options that you select call the JSP files in this directory.
References in each JSP file in that subdirectory are associated with the Federation tab.</para>
<para>Generally, the JSP files in this directory are essential if you want to add or modify federation partners
in your Circles of Trust (COT), SAMLv2 / ID-FF / WS-Federation entity providers, and SAML 1.x configured
partners.</para>
<para>If you're not using the legacy elements of federation, such as Liberty ID-FF, WS-Federation, and SAML 1.x,
you may be able to delete related service endpoints in a more secure deployment.</para>
<para>Many of the endpoints in this section are accessible from the OpenAM console, under the Federation tab.
Some of the endpoints are accessible only after you've created an appropriate entity provider, such as
SAMLv2, ID-FF, or WS-Federation.</para>
<variablelist>
<varlistentry>
<listitem>
<para>When you create a Circle of Trust (COT) via Federation > New, you can access the
COT Configuration window. You can then access all configured COTs.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used when creating a new entity provider, configured with the SAML2 protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with an edit of a COT; to access, select a previously configured COT.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Opened when you configure a new Trusted Partner under the SAML 1.x Configuration section.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with FSSAMLServiceViewBean, which is used by a number of other JSP files in the
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the FSSAMLSetTrustedPartnersEdit.jsp file; used when you select a configured SAML 1.x
Configuration trusted partner.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the addition of a Site ID for a SAML-configured partner.</para>
<!-- Based on best guess; direct access to the URL leads to an Add Site Identifier window; entries lead
to a runtime exception with messages that I think suggest that it needed to be called by a different URL. -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the modification of a Site ID for a SAML-configured partner.</para>
<!-- Based on best guess; direct access to the URL leads to an Edit Site Identifier window; entries lead
to a runtime exception with messages that I think suggest that it needed to be called by a different URL. -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes a new POST to a specified URL.</para>
<!-- Based on best guess; direct access to the URL leads to an Add Post to Target URL window; entries lead
to a runtime exception with messages that I think suggest that it needed to be called by a different URL. -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports editing of a POST to a specified URL.</para>
<!-- Based on best guess; direct access to the URL leads to an Edit Post to Target URL window; entries lead
to a runtime exception with messages that I think suggest that it needed to be called by a different URL. -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Called when you create a new "trusted partner" in the SAML 1.x Configuration area of the Federation
window.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Called when you edit an existing "trusted partner" in the SAML 1.x Configuration area of the Federation
window.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Cited when you click New in the "Circle of Trust" section of the Federation window.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Called by the ImportEntity.jsp file, to support uploads of metadata files associated with a previously
configured entity provider.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies an IDFF affiliate in a COT.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes general parameters associated with an IDFF affiliate in a COT. The corresponding
IDFFGeneralViewBean parameter is cited only in this and the IDFFGeneralViewBean.java files.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the Identity Provider (IDP) for IDFF.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the Service Provider (SP) for IDFF.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the import of pre-existing metadata files which define an entity provider. Allows you to
import metadata from a URL to a desired Realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables a view of SAML version 2 affiliates.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with an IDP acting as an attribute authority.</para>
<!-- based on my reading of http://docs.oracle.com/cd/E19681-01/820-3885/ghzmm/index.html -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports queries and saves of SAML2 attribute metadata.</para>
<!-- based on my reading of http://docs.oracle.com/cd/E19681-01/820-3885/ghzmm/index.html -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables communication with an IDP acting as an authentication authority.</para>
<!-- based on my reading of the ViewBean file, which points to retrieving and saving values -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Identifies general properties of a SAML version 2 affiliate.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of advanced properties for a SAMLv2 IDP.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the Assertion Content tab, accessible when you select Federation > Entity Providers
> <replaceable>Provider Name</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the Assertion Processing tab, accessible when you select Federation > Entity Providers
> <replaceable>Provider Name</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of IDP service properties for a SAML2 provider.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables the configuration of a SAMLv2-based Policy Decision Point (PDP).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables the configuration of a SAMLv2-based Policy Enforcement Point (PEP).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of advanced properties for a SP. Accessible when you select Federation >
Entity Providers > <replaceable>Provider Name</replaceable> > SP > Advanced.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the Assertion Content tab; supports the configuration of such for SPs; It is accessible
when you select Federation > Entity Providers > <replaceable>Provider Name</replaceable> > SP >
Assertion Content.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the Assertion Content tab; supports the configuration of assertion processing-related
properties for SPs. It is accessible
when you select Federation > Entity Providers > <replaceable>Provider Name</replaceable> > SP >
Assertion Processing.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of services-related properties for an SP. It is accessible
when you select Federation > Entity Providers > <replaceable>Provider Name</replaceable> > SP >
Services.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the configuration of a legacy WS-Federation entity provider.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of an IDP under WS-Federation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of an SP under WS-Federation.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-policy-jsp-endpoints">
<title>Policy Console JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Policy Console</tertiary>
</indexterm>
<para>The JSP service endpoints in the console/policy subdirectory relate to a policies under a specific realm. To v
iew the options listed in this section, start the GUI console and navigate to Access Control >
<replaceable>[Name of Realm]</replaceable> > Policies.</para>
<para>For more information, see the chapter on
<citetitle>Defining Authorization Policies OpenAM in the Administration Guide</citetitle></link>.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Supports a policy that depends on the realm where the user authenticated.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds a policy that depends on the realm where the user authenticated.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits an existing policy that depends on the realm where the user authenticated.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables a policy that depends on an authentication realm for a user.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits a policy that depends on an authentication realm for a user.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports adding a condition to a policy realm.
Associated with the SelectConditionType.jsp file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits a condition that has been added to a policy realm.
Associated with the SelectConditionType.jsp file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a proxy of a condition that has been added to a policy realm.
Cited only by the ConditionProxyViewBean.java file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a policy that depends on a list of selected OpenAM subjects, as well as group
membership.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits an existing policy that depends on a list of selected OpenAM subjects, as well as group
membership.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a policy based on users or groups.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds a policy that configures a policy based on users or groups.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits an existing policy based on the configuration of users or groups.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Identifies a response provider that provide additional information on policy enforcement,
such as why a request was allowed or denied.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits an ID response provider that provide additional information on policy enforcement,
such as why a request was allowed or denied.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a new policy for authenticated users.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of an existing policy for authenticated users.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a policy that depends on the realm where the user authenticated, with a minimum or
maximum acceptable authentication level.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds a policy that depends on the realm where the user authenticated, with a minimum or
maximum acceptable authentication level.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits an existing policy that depends on the realm where the user authenticated, with a
minimum or maximum acceptable authentication level.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a policy that depends on the realm where the user authenticated.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds a policy that depends on the realm where the user authenticated.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits an existing policy that depends on the realm where the user authenticated.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a policy based on clients in a specific range of IP addresses or associated with
a specific DNS domain name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds a policy based on clients in a specific range of IP addresses or associated with
a specific DNS domain name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits an existing policy based on clients in a specific range of IP addresses or associated
with a specific DNS domain name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of an Active Session policy condition.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds a new policy related to an Active Session policy condition.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits an existing policy related to an Active Session policy condition.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Relates to a policy associated with time restrictions on a user or group.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds a policy for time restrictions on a user or a group.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits an existing policy related to time restrictions on a user or a group.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</para>
<!-- Best guess; I don't see much info and could not -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Relates to a policy dependent on group membership within the LDAP database.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Relates to a policy dependent on organizational (OU) membership within the LDAP database.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Relates to a policy dependent on user roles configured within the LDAP database.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Displays currently configured policies for the target realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Shows what policy has been added from the Policies tab, after configuring a new policy with
the New Policy button.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the creation of a new policy rule, or the edit of an existing policy rule. To access,
click New in any policy category, or select an existing policy.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Displays a newly configured referral policy.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports editing of an existing referral policy.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports selection of a policy, by name, in either a "normal" or a "referral" category.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Adds referrals to and from an existing policy.</para>
<!-- Based on my reading of PolicyOpViewBeanBase.java -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits referrals associated with an existing policy.</para>
<!-- Based on my reading of PolicyOpViewBeanBase.java -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports changes in referrals to and from an existing policy.</para>
<!-- Best guess -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports changes in response providers for an existing policy.</para>
<!-- Best guess -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Displays a newly created policy, in the Edit Policy window.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports edits of an existing policy.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables a policy that depends on whether the information for a specific user can be found
in the identity repository LDAP database.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Opens a window that supports a selection from existing realms, based on available
authentication modules.</para>
<!-- While I can get to the window, my entries error out, so this may be a legacy endpoint -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a referral type for a sub-realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a response provider type for an identity repository.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a policy service type; supports the customization of a new rule
for configurable service types such as the Discovery Service.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables creation of a policy for web service clients, associated with federated access
management.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a policy that depends on attributes in a user's session.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a policy that includes conditions based on attributes in a user's session.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits conditions in a policy based on attributes in a user's session.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits attributes in a policy based on attributes in a user's session.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a new policy for authenticated users; associated with
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Edits the configuration of a policy for authenticated users; associated with
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a new policy for authenticated users; associated with
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Configures a proxy for web service client policies; associated with
SelectSubjectType.jsp.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-idm-jsp-endpoints">
<title>IDM Console JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>IDM Console</tertiary>
</indexterm>
<para>This group of service endpoints are associated with an identity management (IDM) interface from OpenAM.
You can find these endpoints in the console/idm subdirectory. You may not need all of the functionality
provided by the endpoints in this section.</para>
<para>Some of the endpoints in this section include references to UM*.jsp endpoints, User Console JSP Endpoints
<variablelist>
<varlistentry>
<listitem>
<para>Accesses the information page for the currently logged in user.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Opens the list of currently configured users, available via Access Control >
<replaceable>[selected realm]</replaceable> > Subjects.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used when adding a new user or group.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the Discovery Service. To access that service, select a non-administrative
user and select the Services tab. The EntityDiscoveryDescriptionAdd.jsp file is used when
selecting a new Security Mechanism ID
as a Service Description as a new Discovery Resource Offering.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with an edit of an existing Security Mechanism ID.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Called when saving changes to an existing user.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Lists the members of a configured group.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Lists the members of a configured group based on some filter.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Accessed when a regular user is made a member of a previously configured group.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports custom resource offering entries for a previously configured user. Also seen when
accessing the UMUserResourceOffering.jsp file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports entries of new resource offerings for a previously configured user. Also seen when
accessing the UMUserResourceOfferingAdd.jsp file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports edits of existing resource offerings for a previously configured user. Also seen when
accessing the UMUserResourceOfferingEdit.jsp file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a new service for a specific user. As of this writing, available services are:
Dashboard, Discovery Service, Liberty Personal Profile Service, and Session.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Opens a list of currently configured users.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Accessible after adding a new service for a currently configured user; associated with
the EntityServices.jsp file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Accessible for editing services associated with a currently configured user.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used if a configured organization has no available attributes.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Opened when adding a service for a specific user.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-realm-jsp-endpoints">
<title>Console Realm JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Console Realm</tertiary>
</indexterm>
<para>If you want to know how to configure services and data stores within a realm, you'll want to understand
the workings of these service endpoints. If you want to customize realms in production, you'll want to keep
subdirectory.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Associated with the main Access Control page in the OpenAM GUI console, which lists configured
realms. If you call realm/HomePage.jsp directly, it cites messages associated with changes for
subdirectory.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables links with directory server data stores within a realm. To access, select Access
Control > <replaceable>[some realm]</replaceable> > Data Stores > New. You should see
a variety of supported directory server data stores, such as Active Directory, OpenDJ, and
Tivoli Directory Server.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Appears when you edit an existing data store; associated with the IDRepo.jsp service
endpoint.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes a list of supported data stores, from Active Directory to OpenDJ; associated with
the IDRepo.jsp service endpoint.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a new realm, or editing of an existing realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the addition of a new realm; associated with the RMRealm.jsp service endpoint.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a new description for a realm; associated with the RealmResourceOffering.jsp service
endpoint. </para>
<!-- based on my reading of RealmResourceOfferingViewBeanBase.java -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports an edited description; associated with the RealmResourceOffering.jsp service endpoint.
</para>
<!-- based on my reading of RealmResourceOfferingViewBeanBase.java -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Works with the pages that allow you to edit an existing realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a security mechanism to a new realm resource offering. Requires
the configuration of the discovery service, and the configuration of a directory resource
offering for the specified realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the addition of a security mechanism to a new realm resource offering. Requires
the configuration of the discovery service, and the configuration of a directory resource
offering for the specified realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of a security mechanism for an existing realm resource offering. Requires
the configuration of the discovery service, and the configuration of a directory resource
offering for the specified realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a service within a specified realm.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the addition of a service to a specified realm; available services to add include
Administration, Dashboard, Discovery, Globalization Settings, OAuth2 Provider, Password Reset,
Session, and User.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If a desired service is not compatible with directory data available from an organization, it
is rejected.</para>
<!--Based on my reading of the ServicesAddViewBean.java file -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of an existing service; associated with the Services.jsp endpoint.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of an existing service; called if the attribute cannot be found or
changed.</para>
<!--Based on my reading of the ServicesEditViewBean.java file -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Implements step 1 of the addition of a new service; associated with the Services.jsp
endpoint.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-service-jsp-endpoints">
<title>Service Console JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Service Console</tertiary>
</indexterm>
<para> You can find the JSP files in this category in the console/service subdirectory. Most of the endpoints
are accessible in the console, from various options associated with the Configuration menu. If you
don't use some of the functionality described such as Liberty ID-FF or SOAP binding, you may be able to
delete the associated endpoints.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Supports the configuration of a new character set alias. Accessible from the Globalization
Settings > Charset Aliases submenu.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of an existing character set alias. Accessible from the Globalization
Settings > Charset Aliases submenu.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a new character set supported by a locale. Accessible from the
Globalization Settings > Charsets Supported by Each Locale submenu.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of an existing character set supported by a locale. Accessible from the
Globalization Settings > Charsets Supported by Each Locale submenu.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a list of client types. Associated with the Default Client Type option available
via Configuration > System > Client Detection.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports creation of client devices.</para>
<!-- Guess, based on functionality of MAPClientManager.jsp -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports creation of client devices.</para>
<!-- Guess, based on functionality of MAPClientManager.jsp -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports step 1 of creating a new client device.</para>
<!-- Guess, based on functionality of MAPClientManager.jsp -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used with duplicate client devices.</para>
<!-- Guess, based on functionality of MAPClientManager.jsp -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with basic Service Configuration data, and the other endpoints accessible from
the Configuration menu.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of available authentication databases. You can get to this window
by selecting Configuration > Authentication.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of administrative an globalization console properties. You can get
to this window by selecting Configuration > Console.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of OpenAM global properties. You can get to this window by
selecting Configuration > Global.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of OpenAM system properties. You can get to this window by
selecting Configuration > System.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Accesses current global attributes and cookie domain settings. To get to this window, select
Configuration > System > Platform.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a view of the current policy configuration. To access this window, select
Configuration > Global > Policy Configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the addition of a new resource comparator to the current policy configuration.
To access the relevant window, select Configuration > Global > Policy Configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of an existing resource comparator in the current policy configuration.
To access the relevant window, select Configuration > Global > Policy Configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables a review of current SAMLv2 SOAP binding request handlers. Associated with SOAP-based
communications, using SAMLv2 requests, between a client and a server.
To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to add a new SAMLv2 SOAP binding request handler.
To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to duplicate an existing SAMLv2 SOAP binding request handler.
To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to edit an existing SAMLv2 SOAP binding request handler.
To access the relevant screen, select Configuration > Global > SAMLv2 SOAP Binding.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables a review of current SOAP binding request handlers. Associated with the Liberty
Alliance Project Identity Federation Framework (Liberty ID-FF).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to add a new SOAP binding request handler. Associated with the Liberty
Alliance Project Identity Federation Framework (Liberty ID-FF).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to duplicate an existing SOAP binding request handler. Associated with the Liberty
Alliance Project Identity Federation Framework (Liberty ID-FF).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to edit an existing SOAP binding request handler. Associated with the Liberty
Alliance Project Identity Federation Framework (Liberty ID-FF).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of tokens associated with the Security Token Service (STS). To
access the associated screen, select Configuration > Global > Security Token Service.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the addition of an OpenAM server to work behind a load balancer in support of
Session Failover (SFO). Available from Configuration > Servers and Sites, in the Servers
subsection.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the cloning of an existing OpenAM server to work behind a load balancer in support of
Session Failover (SFO). Available from Configuration > Servers and Sites, in the Servers
subsection.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the inheritance of the default configuration for servers, as it relates to SFO.</para>
<!-- Best guess -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables the configuration fo a new server; relates to SFO.</para>
<!-- Best guess based on screen that appears -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the review of the XML settings of an existing server, as it relates to SFO.</para>
<!-- Best guess -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of advanced properties for default servers, in the configuration of
servers for SFO. To access, select Configuration > Severs and Sites > Default Server
Settings, and click Advanced.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of general properties for default servers, such as the base directory,
default locale, debug level, mail server for notifications, and more. Relates to the
configuration of servers for SFO. To access, select Configuration > Severs and Sites >
Default Server Settings, and click General.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of SDK-related properties for default servers, associated with SFO.
Supports editing of settings such as datastore notifications, event service connection retries,
LDAP connections, Time To Live (TTL) for user entries, and more. To access, select Configuration
> Severs and Sites > Default Server Settings, and click SDK.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of security properties for default servers; associated wtih SFO.
Includes default security settings such as encryption keys, cookie encoding, key stores, and
certificate management. To access, select Configuration > Severs and Sites >
Default Server Settings, and click Security.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of session properties for default servers; associated with SFO.
Note the Session Limit default specifies a maximum of 5000, well short of the 100,000 sessions
that can be handled by a standard 3GB dual-core production system. To access, select
Configuration > Severs and Sites > Default Server Settings, and click Session.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the addition or editing of a load balancer that distributes requests to other
OpenAM servers. Available from the Configuration > Servers and Sites, in the Servers
subsection.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables the configuration of a load balancer to distribute requests to other existing OpenAM
servers. Available from the Configuration > Servers and Sites, in the Sites subsection.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables changes to a configured load balancer in how it distributes requests to other existing
OpenAM servers. Available from the Configuration > Servers and Sites, in the Sites
subsection.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes new resource offerings for the discovery service, bootstrapped using a standard such
as SAML2.</para>
<!-- Best guess, based on info from the OpenSSO Enterprise 8.0 Administration Guide -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of existing resource offerings for the discovery service, bootstrapped
with a standard such as SAML2.</para>
<!-- Best guess, based on info from the OpenSSO Enterprise 8.0 Administration Guide -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes the addition of of new options for the discovery service.</para>
<!-- Best guess, based on info from the OpenSSO Enterprise 8.0 Administration Guide -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of existing options for the discovery service.</para>
<!-- Best guess, based on info from the OpenSSO Enterprise 8.0 Administration Guide -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the mapping of a new resource ID for the discovery service.</para>
<!-- Best guess, based on info from the OpenSSO Enterprise 8.0 Administration Guide -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the editing of an existing resource ID for the discovery service.</para>
<!-- Best guess, based on info from the OpenSSO Enterprise 8.0 Administration Guide -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports a review and configuration of the Discovery Server, for global attributes, the
ResourceID Mapper plug-in, and bootstrapping.</para>
<!-- Best guess, based on info from the screen that appears -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to configure globalization settings for OpenAM; accessible via Configuration >
Console > Globalization Settings.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to configure globalization settings for OpenAM; accessible via Configuration >
Console > Globalization Settings.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to review and copy STS policies for export, input, and output. You can review this
via Configuration > Global > Security Token Service > Export Policy.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to configure a secondary configuration instance; accessible via Configuration >
Global > Session.</para>
<!-- Best guess, based on info from the screen that appears -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to edit an existing secondary configuration instance; accessible via
Configuration > Global > Session.</para>
<!-- Best guess, based on info from the screen that appears -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to configure a schema assocaited with breadcrumbs.</para>
<!-- Best guess -->
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-session-jsp-endpoints">
<title>Session Console JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Session Console</tertiary>
</indexterm>
<para>There are currently two service endpoints configured in the console/session subdirectory, related to
login sessions.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Provides information on current login session statistics. Available from the Sessions tab from
the main console.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports session high availability statistics collection.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-task-jsp-endpoints">
<title>Task Console JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Task Console</tertiary>
</indexterm>
<para>The service endpoints in the console/task subdirectory relate to the options available from the default
start page when an administrator logs into the OpenAM console. If you don't use Google Apps or Salesforce,
you may not need some of the functionality in the associated endpoints.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Provides information on what the administrator can do after configuring an Identity Provider
(IDP). Options listed include registering a remote Service Provider (SP), creating a fedlet,
configuring Google Apps, and configuring Salesforce CRM. Includes links to such functionality,
which depend on the configuration of a Circle of Trust (CoT).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of Google Apps for Single-sign on (SSO). Requires a CoT
configured with an IDP.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables entries to configure the SP. Includes steps "To Enable Access to the Google Apps
API."</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Includes a default warning message related to the ConfigureGoogleApps.jsp endpoint. The
message is self-explanatory, though grammatically questionable: "Unable to configure because there
are no circle of trust with Identity Provider."</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of OAuth2 Authorization. For more information, see the
the chapter on <link xlink:href="admin-guide#chap-oauth2"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing OAuth2 Authorization in the Administration Guide</citetitle></link>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Accessible when you select the Configure Salesforce CRM link shown in the main GUI console.
Requires IDP and SP information for an appropriate CoT, where OpenAM is the IDP and Salesforce
is configured as the SP.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of SSO with a Salesforce CRM account. Includes instructions on
the settings to add to an applicable Salesforce account.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Sets up a warning message related to a need for a Salesforce Login URL for the configuration.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>A fedlet supports federation for a SP that does not already have its own federation solution.
For more information, see the
the chapter on <link xlink:href="dev-guide#chap-fedlet-java"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Using Fedlets in Java Web Applications in the Development Guide
</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Sets up a warning message related to the prerequisite for a CoT with the IDP.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a SAMLv2 IDP on the local instance of OpenAM.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a SAMLv2 SP on the local instance of OpenAM.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a SAMLv2 IDP on a remote system, within a configured CoT.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of a SAMLv2 SP on a remote system, within a configured CoT.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Endpoint that redirects the client to the startup page for OpenAM.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the test of a federation connection between an IDP and SP in a CoT.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-user-jsp-endpoints">
<title>User Console JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>User Console</tertiary>
</indexterm>
endpoints are accessible by realm. From the home page screen, select Access Control >
<replaceable>[realm]</replaceable> > Subjects > <replaceable>[name of user]</replaceable>. This
should open up an Edit User screen</para>
<variablelist>
<varlistentry>
<listitem>
<para>This service endpoint is normally opened in a separate window to enable a user (or
administrator) to change their login password. Accessible from the Edit User screen. All
you need to do from the screen is click Edit next to the Password entry.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Relates to the security mechanism identifier associated wih a user. To access from the screen
for an individual user, select Services > Discovery Service > Add > scroll down to the
Service Description box > New Description > select and Add a Security Mechanism ID.
Example IDs include urn:liberty:security:2003-08:ClientTLS:SAML, which relates to the former
Liberty Alliance project, using Transaction Layer Security (TLS) on the client, with SAML
assertions.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports editing of the security mechanism identifier associated with a user. Closely related
to the UMUserDiscoveryDescriptionAdd.jsp endpoint.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to "Force Change Password on Next Login". Accessible from the Edit User screen for
a specific user, via the "Password Reset Options" entry near the bottom of the window.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Accessible as an option to the Discovery Service for a specific user. To access from the Edit
User screen for a specific user, select Services > Discovery Service > Add.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Accessible as an option to the Discovery Service for a specific user. To access from the Edit
User screen for a specific user, select Services > Discovery Service > Add.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Accessible as an option to the Discovery Service for a specific user. To edit an existing
resource offering, navigate to the Edit User screen for a specific user, select Services >
Discovery Service > <replaceable>[some previously configured service]</replaceable>.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-web-services-jsp-endpoints">
<title>Web Services Console JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Web Services Console</tertiary>
</indexterm>
<para>Web services include endpoints in the console/webservices subdirectory. You can use them to define legacy
options for services such as the Liberty Identity Federation Framework (ID-FF). As such, these endpoints
may be less essential to your implementation of OpenAM.
For more information, see the
<link xlink:show="new"
xlink:href="http://www.forgerock.org/security_advisory2.html"><citetitle>OpenAM Wiki on Web Services
</citetitle></link>.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Supports the configuration of various mechanism handlers for authentication, including
CRAM-MD5, PLAIN, and SSOToken.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the addition of a new mechanism handler for authentication.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports changes to an existing mechanism handler for authentication.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables the addition of a new LDAP attribute, with a name prefix.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables the editing of an existing LDAP attribute, with a name prefix.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables the creation of a new supported container for ID-FF.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables the editing of an existing container.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows you to configure ID-FF for global attributes, supported containers, PPLDAP attributes
and alternative security mechanisms.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="oauth-jsp-endpoints">
<title>OAuth JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>OAuth</tertiary>
</indexterm>
<para>Includes endpoints in the oauth, oauth2, and oauth2c subdirectories. Some of the service endpoints in the
oauth subdirectory are based on OAuth 1.0, which may be deprecated in an upcoming release.</para>
<!-- ref OpenAM-1683 , and https://blogs.oracle.com/docteger/entry/opensso_oauth_token_service -->
<variablelist>
<varlistentry>
<listitem>
<para>This endpoint is used to delete consumer systems, which get resources from service providers
(SPs) based on OAuth 1.0 tokens.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>This endpoint is used to delete an existing OAuth 1.0 token.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies an endpoint used to register and delete service consumers, which get resources
from SPs. Provides access to registerconsumer.jsp and deleteconsumer.jsp. Associated with OAuth 1.0.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Defines an endpoint used to register a consumer of services from SPs. Associated with OAuth
1.0.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows a user to authorize or revoke a request for an OAuth 1.0 token..</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables registration of an OAuth 2.0 client with the OpenAM OAuth 2.0 authorization service.
For details, see the Administration Guide chatper on
<link xlink:href="admin-guide#chap-oauth2#register-oauth2-client"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing OAuth 2.0 Authorization</citetitle></link>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used to log out the resource owner with teh OAuth 2.0 provider. For more information, see
the Administration Guide chapter on
<link xlink:href="admin-guide#chap-oauth2#register-oauth2-client"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Defining Authentication Services</citetitle></link>.
.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Endpoint used for redirection. For more information, see the Administration Guide chapter on
<link xlink:href="admin-guide#chap-oauth2#register-oauth2-client"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing OAuth 2.0 Authorization</citetitle></link>.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="password-jsp-endpoints">
<title>Password JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>Password</tertiary>
</indexterm>
<para>The endpoints in this section can be found in the password/ui subdirectory. Each of these endpoints use
the PWResetViewBeanBase.java file, as a class to set up messages. You can view some of these endpoints by
omitting the <literal>password</literal>. For example, to view the effect of the PWResetUserValidation.jsp
endpoint on an OpenAM system using an URL of openam.example.org in a standard Tomcat container, navigate to
http://openam.exmaple.org/openam/ui/PWResetUserValidation.jsp. You can set associated options from
the main console by selecting Configuration > Global > Password Reset. For more information on the
process, see the chapter on <link xlink:href="admin-guide#chap-pwd-reset"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Configuring Password Reset in the Administration Guide</citetitle></link>.</para>
<variablelist>
<varlistentry>
<listitem>
<para>This simple endpoint includes a redirection of the ServiceURI, and specifies OpenAM as the
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>This endpoint is called with the PWResetInvalidURLViewBean class, when a module servlet gets
an invalid URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Starts the password reset process by propmting for the User ID. For more information on the
process, see the method for the associated <literal>PWResetQuestionModel</literal>, available from
the <link xlink:href=
" xlink:show="new">Interface PWResetQuestionModel specification page</link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the endpoint that is called when an account password is successfully reset.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a "Contact your administrator" message when there is an error in a related endpoint.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Opens a screen that prompts for a user ID (UID). If that UID is found in the database,
configured with an accessible email address, on a system connected to a mail server,
a reset link is sent to that address.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="saml2-jsp-endpoints">
<title>SAML2 JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>SAML2</tertiary>
</indexterm>
<para>You can find the endpoints described in this section in the saml2/jsp subdirectory. As of this writing,
some of these endpoints are not used in the current implementation of OpenAM. Active endpoints in this category
are discussed in the chapter on <link xlink:href="admin-guide#chap-federation"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing SAML2 Federation in the Administration Guide</citetitle></link>.</para>
<variablelist>
<varlistentry>
<listitem>
<para>May be used by other files to return a success or failure message. While the default.jsp name
is not commonly used.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the export of XML-based metadata with other providers within a circle of trust (CoT).
Currently used. For more information, see
the chapter on <link xlink:href="admin-guide#chap-federation"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing SAML2 Federation in the Administration Guide</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of SAML attribute query headers.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports the configuration of SAML attribute response headers.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Previously used to start single sign-on at the Fedlet.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a sample fedlet application that can be removed in production.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables a sample SAML XACML query handler; used for testing, to prompt users to specify a
resource URL along with an action (GET, POST).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Retrieves a sample SAML XACML resource URL for a yes, no, or maybe decision
(PERMIT, DENY, or INDETERMINATE).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts
on IDPs and SPs. This particular JSP file processes a request from an IDP through an HTTP
redirect.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts
on IDPs and SPs. This particular JSP file processes a request from an IDP through an HTTP
redirect. It uses a metadata-based alias, an entity ID for the service provider, and the type
of MNI request; examples include <literal>NewID</literal> and <literal>terminate</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts
on IDPs and SPs. As described in the
<link xlink:href="admin-guide#chap-federation#change-federation"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing SAML2 Federation in the Administration Guide</citetitle></link> chapter of
the Administration Guide, it allows you to change federation of persistently linked accounts.
The chapter also includes an example of this endpoint at work.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies an endpoint that takes authentication requests from an SP, with a <literal>
SAMLRequest</literal> data, a <literal>metaAlias</literal> and a <literal>RelayState</literal>
with information from the target URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies an endpoint that starts SSO, either from cache, or by verifying <literal>metaAlias
the chapter on <link xlink:href="admin-guide#chap-federation"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing SAML2 Federation in the Administration Guide</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Starts a <literal>LogoutRequest</literal> from the identity provider.For more information, see
the chapter on <link xlink:href="admin-guide#chap-federation"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing SAML2 Federation in the Administration Guide</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies an endpoint that receives logout requests from IDPs and receives logout responses
from SPs. Also sends logout responses to SPs.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Takes the <literal>SAMLRequest</literal> and <literal>SAMLResponse</literal> messages for
logouts from the SP. May also handle the <literal>RelayState</literal> directive.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used for SAML authentication for communication with identity providers (IDPs).</para>
<!-- At least that's my reading of the JSP file -->
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used for SAML authentication for communication with service providers (SPs).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Returns an error message related to Secure Attribute Exchange (SAE). Currently used only by
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Endpoint that may return one of many error codes, specified in the comments of the file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used on a SP, to interpret information from an IDP. The request to the IDP is an <literal>
AuthnRequest</literal>; the response from the IDP is read by this endpoint.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts
on IDPs and SPs. This particular endpoint takes the associated request, using an HTTP Redirect,
from a SP. Less commonly used.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>This particular endpoint handles the <literal>ManageNameIDRequest</literal>
and <literal>ManageNameIDRespnose</literal> messages with the help of HTTP Redirect. Less
commonly used. </para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>This particular endpoint supports changes to federation of persistently linked
accounts, in a fashion similar to idpMNIRequestInit.jsp. For an example of this endpoint in
work, see the chapter on <link xlink:href="admin-guide#chap-federation"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing SAML2 Federation in the Administration Guide</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports SSO messages from the SP. For more information and an example of how this endpoint is
used, see the chapter on <link xlink:href="admin-guide#chap-federation"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing SAML2 Federation in the Administration Guide</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Supports SSO messages from the SP. For more information, see
the chapter on <link xlink:href="admin-guide#chap-federation"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing SAML2 Federation in the Administration Guide</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies an endpoint that receives logout requests from SPs and receives logout responses
from IDPs. Also sends logout responses to IDPs. Converse endpoint to idpSingleLogoutPOST.jsp.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Takes the <literal>SAMLRequest</literal> and <literal>SAMLResponse</literal> messages for
logouts from the IDP. May also handle the <literal>RelayState</literal> directive. Converse
endpoint to idpSingleLogoutRedirect.jsp.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="wsfederation-jsp-endpoints">
<title>WS Federation JSP Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>JSP</secondary>
<tertiary>WS Federation</tertiary>
</indexterm>
<para>The endpoints described in this section, in the wsfederation/jsp subdirectory, relate to Kantera Alliance
standards that originated with the Liberty Alliance Project Identity Federation Framework.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Shows a page after a successful logout.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used for multi-federation protocol configurations.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Sets up a form for single sign-on (SSO) responses sent from the IDP to the SP.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Default display if no realms are defined.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="web-inf-endpoints">
<title>WEB-INF Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>WEB-INF</secondary>
</indexterm>
<para>The OpenAM WAR archive includes pointers to different URL patterns in the web.xml file. The following
section includes a description of each of the identified URL patterns.</para>
<para>Many of the endpoints in this section are based on what you would add to an OpenAM URL. Many of the
endpoints described in the web.xml file are not directly related to the .jsp files described in other parts
of this chapter.</para>
<para>The endpoints in this chapter are taken from all items tagged with the <literal>url-pattern</literal>
label. These endpoints are listed in that they appear in the web.xml file available at the time of this writing;
the list is changed frequently. If you want to disable one or more of these endpoints, you may be able to
delete them from the web.xml file.</para>
<para>Each of the <literal>url-pattern</literal>s shown in the web.xml file is associated with elements such as
a <literal>filter-name</literal> or a <literal>servlet-name</literal>. The definitions that follow use those
elements to help identify the function
of each endpoint listed in the web.xml file. Many of these elements can be directly related to a .java file.
</para>
<para>The endpoints in this section are in the order found in the list of <literal>url-pattern</literal> entries
shown in the web.xml file at the time of this writing.</para>
<variablelist>
<varlistentry>
<term><literal>/*</literal></term>
<listitem>
<para>This entry is more of a filter for all endpoints. It's associated with the
ResponseValidationFilter, which checks for valid URLs. It's also associated with the
AMSetupFilter.java file; on systems not yet configured, it redirects users to the setup wizard.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>ws/*</literal></term>
<listitem>
<para>Specifies a group of URLs related to authentication endpoints, as it is associated with the
AuthNFilter.java and AuthZFilter.java files. However, those files (and the associated
RestServiceManager.java file) are not called by any other files in the trunk.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/login</literal></term>
<listitem>
endpoint.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/logout</literal></term>
<listitem>
endpoint.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/UI/*</literal></term>
<listitem>
<para>With the help of the LoginServlet.java file, this forwards to the default login page for
an OpenAM system.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Uses the AMSetupServlet, which as noted in the associated .java file, "is the first class
to get loaded by the Servlet * container"</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used by the installation wizard to display the progress.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used by the upgrade wizard to display progress.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/ui/*</literal></term>
<listitem>
<para>Associated with the servlet naemd PWResetServlet, associated with password resets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/gateway</literal></term>
<listitem>
<para>Used with the servlet named GatewayServlet. Associated with the Gateway.java file, which takes
an authentication module and forwards it to a login URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/GetHttpSession</literal></term>
<listitem>
<para>The associated .java file is associated with Session Failover (SFO).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/sessionservice, /profileservice, /policyservice, /namingservice, /loggingservice,
/authservice, /notificationservice</literal></term>
<listitem>
<para>All of these endpoints are associated with
<link xlink:show="new"
xlink:href="http://www.forgerock.org/security_advisory1.html">
OpenAM Security Advisory #201203</link>. As suggested in the advisory, if you're using
OpenAM version 9.5.4 or 10.0.0, you should be sure to apply the updates required to upgrade your
systems to versions 9.5.5 or 10.0.1 (or higher).</para>
<!-- Wild guess on /notificationservice, as it's now redirected to the same OpenSSO output as
the other listed endpoints. -->
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/jaxrpc/*, /identityservices/*</literal></term>
<listitem>
<para>These endpoints provide information on configured web services, including the port name,
status, URL, and implementation class. Both endpoints show the same data. The IdentityServices
servlet name points to the following description: "Web Service Endpoint - Identity Services".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SMSServlet</literal></term>
<listitem>
<para>Includes system configuration information when available, as documented in the comments to
the AMSystemConfig.java file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/notification</literal></term>
<listitem>
<para>The associated servlet named notificationservlet appears to be commonly used. When the URL is
entered, the default output is 200, associated with an URL success message.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/entitlementmonitor</literal></term>
<listitem>
<para>Used by the NetworkMonitor.java file, which is essential to the monitoring of OpenAM
services.</para>
<!-- I might be going to far with this one -->
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/identity/*</literal></term>
<listitem>
<para>Possibly a legacy endpoint. While the associated IdentityServicesHandler servlet is identified
as "REST Endpoint - Identity Services", it is only cited in the IdentityServicesHandler.java
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/resources/*</literal></term>
<listitem>
<para>Linked to an oauth servlet. The associated
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/authentication/*</literal></term>
<listitem>
<para>Associated with the servlet named AuthServlet. The associated AuthServer.java file is the
controller servlet for realm authentication pages. When the URL is entered prior to login, it
defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/base/*</literal></term>
<listitem>
<para>Associated with the servlet named AMBaseServlet. While the associated AMBaseServlet.java file
is rarely used, the URL prior to login defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/service/*</literal></term>
<listitem>
<para>Associated with the servlet named SCServlet. While the associated SCServlet.java file
is rarely used, the URL prior to login defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/session/*</literal></term>
<listitem>
<para>Associated with the servlet named SMServlet. While the associated SMServlet.java file
is rarely used, the URL prior to login defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/realm/*</literal></term>
<listitem>
<para>Associated with the servlet named RMServlet. While the associated RMServlet.java file
is rarely used, the URL prior to login defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/policy/*</literal></term>
<listitem>
<para>Associated with the servlet named PMServlet. While the associated PMServlet.java file
is rarely used, the URL prior to login defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/idm/*</literal></term>
<listitem>
<para>Associated with the servlet named IDMServlet. While the associated IDMServlet.java file
is rarely used, the URL prior to login defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/user/*</literal></term>
<listitem>
<para>Associated with the servlet named UMServlet. While the associated UMServlet.java file
is rarely used, the URL prior to login defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/delegation/*</literal></term>
<listitem>
<para>Associated with the servlet named DelegationServlet. While the associated
is rarely used, the URL prior to login defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/task/*</literal></term>
<listitem>
<para>Associated with the servlet named TaskServlet. While the associated TaskServlet.java file
is rarely used, the URL prior to login defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/agentconfig/*</literal></term>
<listitem>
<para>Associated with the servlet named AgentConfigurationServlet. The associated
AgentConfigurationServlet class is called by the amAccessControl.xml file, which
suggests that it can be configured from the GUI console, through the Agents section of the
Access Control menu. It is rarely used otherwise. The URL prior to login defaults to the
standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/ccversion/*</literal></term>
<listitem>
<para>Associated with the servlet named click-servlet. There is no associated click-servlet.java
or ClickServlet.java file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/federation/*</literal></term>
<listitem>
<para>Associated with the servlet named FSServlet. While the associated FSServlet.java file
is rarely used, the URL prior to login defaults to the standard login page.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/webservices</literal></term>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/sts</literal></term>
<listitem>
<para>Associated with the STS. Be aware, this endpoint exposes basic service and port information
for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11),
and Web Service Definition Language (WSDL) endpoints
without logons.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the STS. Be aware, this endpoint exposes basic service and port information
for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11),
and Web Service Definition Language (WSDL) endpoints
without logons.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the STS. Be aware, this endpoint exposes basic service and port information
for STS, Metadata Exchange (MEX), Simple Object Access Protocol 1.1 (SOAP11),
and Web Service Definition Language (WSDL) endpoints
without logons.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Associated with the STS. Unlike related STS endpoints, it returns a 404 message by default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SPMniSoap/*</literal></term>
<listitem>
<para>Used by a servlet named SPMniSoap; associated with a
com.sun.identity.saml2.servlet.SPManageNameIDServiceSOAP servlet class. The associated .java
file works with Manage Name ID communications using SOAP binding from the SP. As the former
spMNISOAP.jsp file no longer exists in the trunk, this may be a legacy endpoint.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SPMniPOST/*</literal></term>
<listitem>
<para>Used by a servlet named spMNIPOST.jsp; previously defined in the SAML2 JSP Endpoints section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SPMniRedirect/*</literal></term>
<listitem>
<para>Used by a servlet named spMNIRedirect.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SPMniInit/*</literal></term>
<listitem>
<para>Used by a servlet named spMNIRequestInit.jsp; previously defined in the SAML2 JSP Endpoints section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SPECP/*</literal></term>
<listitem>
<para>The associated SPECPService class receives and processes single logout (SLO) requests, using
SOAP bindings on the SP. The associated SPECService.java file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SPSloSoap/*</literal></term>
<listitem>
<para>The associated SPSingleLogoutServiceSOAP class receives and processes single logout
(SLO) requests, using SOAP bindings on the SP. The associated SPSingleLogoutServiceSOAP.java
file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SPSloPOST/*</literal></term>
<listitem>
<para>Used by a servlet named spSingleLogoutPOST.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SPSloRedirect/*</literal></term>
<listitem>
<para>Used by a servlet named spSingleLogoutRedirect.jsp; previously defined in the SAML2 JSP
Endpoints section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SPSloInit/*</literal></term>
<listitem>
<para>Used by a servlet named spSingleLogoutInit.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/Consumer/*, /SSORedirect/*</literal></term>
<listitem>
<para>Used by a servlet named spAssertionConsumer.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SSOPOST/*, /SSORedirect/*</literal></term>
<listitem>
<para>Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SSORedirect/*</literal></term>
<listitem>
<para>Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/NIMSoap/*</literal></term>
<listitem>
<para>Used by a servlet named NameIDMappingServiceSOAP; The associated NameIDMappingServiceSOAP.java
file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/AIDReqUri/*</literal></term>
<listitem>
<para>Used by a servlet named AssertionIDRequestServiceSoap; The associated
AssertionIDRequestURI.java file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/AIDReqSoap/*</literal></term>
<listitem>
<para>Used by a servlet named AssertionIDRequestServiceSoap; The associated
AssertionIDRequestSOAP.java file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/AuthnQuerySerivceSoap/*</literal></term>
<listitem>
<para>Used by a servlet named AuthnQueryServiceSoap; The associated
AuthnQueryServiceSOAP.java file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/AttributeServiceSoap/*</literal></term>
<listitem>
<para>Used by a servlet named AttributeServiceSoap; The associated
AttributeServiceSOAP.java file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SSOSoap/*</literal></term>
<listitem>
<para>Used by a servlet named SSOSoap; The associated
IDPSingleSignOnServiceSOAP.java file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/IDPMniSoap/*</literal></term>
<listitem>
<para>Used by a servlet named IDPMniSoap; The associated
IDPManageNameIDServiceSOAP.java file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/IDPMniPOST/*</literal></term>
<listitem>
<para>Used by a servlet named idpMNIPOST.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/IDPMniRedirect/*</literal></term>
<listitem>
<para>Used by a servlet named idpMNIRedirect.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/IDPMniInit/*</literal></term>
<listitem>
<para>Used by a servlet named idpMNIRequestInit.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/IDPSloSoap/*</literal></term>
<listitem>
<para>Used by a servlet named IDPSloSoap; The associated
IDPSingleLogoutServiceSOAP.java file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/IDPSloPOST/*</literal></term>
<listitem>
<para>Used by a servlet named idpSingleLogoutPOST.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/IDPSloRedirect/*</literal></term>
<listitem>
<para>Used by a servlet named idpSingleLogoutRedirect.jsp; previously defined in the SAML2 JSP
Endpoints section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/IDPSloInit/*</literal></term>
<listitem>
<para>Used by a servlet named idpSingleLogoutInit.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/ArtifactResolver/*</literal></term>
<listitem>
<para>Used by a servlet named IDPArtifactResolver; The associated
IDPArtifactResolutionServiceSOAP.java file was deleted from at least one of
the trunk directories in September of 2012, so this may be in less frequent use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/spssoinit</literal></term>
<listitem>
<para>Used by a servlet named spSSOInit.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/idpssoinit</literal></term>
<listitem>
<para>Used by a servlet named idpSSOInit.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/idpSSOFederate</literal></term>
<listitem>
<para>Used by a servlet named idpSSOFederate.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/idpsaehandler/*</literal></term>
<listitem>
<para>Used by a servlet named SA_IDP.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/spsaehandler/*</literal></term>
<listitem>
<para>Used by a servlet named IDP_SP.jsp; previously defined in the SAML2 JSP Endpoints
section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/idpfinder</literal></term>
<listitem>
<para>Used by a servlet named IDPFinderService; The associated
FSIDPFinderService.java file can be used to find a preferred IDP with a common domain cookie.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/cdcservlet</literal></term>
<listitem>
<para>Used by a servlet named CDCServlet. It is associated with a Cross Domain Controller Servlet,
as described in the
the chapter on <link xlink:href="admin-guide#chap-cdsso"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Configuring Cross-Domain Single Sign On in the Administration Guide
</citetitle></link>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SAMLAwareServlet</literal></term>
<listitem>
<para>Used by a servlet named SAMLAwareServlet. It is associated with communications between a
client, an SP, and an IDP. The transfer service on the IDP is the SAML Aware Servlet, and is
part of the client web browser artifact profile. It validates a session token from a request run
through the IDP.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SAMLPOSTProfileServlet</literal></term>
<listitem>
<para>Used by a servlet named SAMLPOSTProfileServlet. It is associated with communications between a
client, an SP, and an IDP. The transfer service on the IDP is the SAML Aware Servlet, and is
part of the client web browser POST profile, which supplies assertion IDs, and returns the
response to the client browser.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SAMLSOAPReceiver</literal></term>
<listitem>
<para>Used by a servlet named SAMLSOAPReceiver. The servlet extracts a SAML request from a message
sent in SOAP format. That message can be a query for authorization, attributes, or
authentication. It supports POST messages only.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/AssertionManagerServlet/*</literal></term>
<listitem>
<para>Used by a servlet named AssertionManagerServlet. It supports dynamic substitution, using
the host name, port number, and the deployment location.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/FSAssertionManagerServlet/*</literal></term>
<listitem>
<para>Used by a servlet named FSAssertionManagerServlet. It provides remote interfaces for the
assertion manager class.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SecurityTokenManagerServlet/*</literal></term>
<listitem>
<para>Used by a servlet named SecurityTokenManagerServlet. It supports dynamic substitution, using
session parameters.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/preLogin</literal></term>
<listitem>
<para>Used by a servlet named preLoginHandler. As there is no associated .java or .jsp file, it
may be a legacy endpoint.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/postLogin/*</literal></term>
<listitem>
<para>Used by a servlet named postLoginHandler. As there is no associated .java or .jsp file, it
may be a legacy endpoint.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/federation</literal></term>
<listitem>
<para>Used by a servlet named FederationServlet. Associated with the
FSFederationHandler.java file processes requests to initiate a federation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/consentHandler</literal></term>
<listitem>
<para>Used by a servlet named consentHandler. Associated with the
FSConsentHandler.java file processes redirect requests
in an existing federation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/ProcessLogout/*</literal></term>
<listitem>
<para>Used by a servlet named ProcessLogout. Associated with the
FSProcessLogoutServlet class. It is designed to handle single logout requests related to
Kantera / Liberty ID-FF processes.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/ReturnLogout/*</literal></term>
<listitem>
<para>Used by a servlet named ReturnLogout. Associated with the
FSReturnLogoutServlet class. It is designed to handle single logout responses related to
Kantera / Liberty ID-FF processes. (Note the subtle difference with the ProcessLogout endpoint
which handles logout requests.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/liberty-logout</literal></term>
<listitem>
<para>Used by a servlet named LogoutServlet. Associated with the
FSSingleLogoutServlet class. It is designed to start single logout requests related to
Kantera / Liberty ID-FF processes.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/SingleSignOnService/*</literal></term>
<listitem>
<para>Used by a servlet named SingleSignOnService. Associated with the
FSSSOAndFedService class. Configured for SSO on the IDP.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/IntersiteTransferService</literal></term>
<listitem>
<para>Used by a servlet named IntersiteTransferService. Associated with the
FSIntersiteTransferService class. It is designed to send a <literal>AuthnRequest</literal> to an
IDP.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/AssertionConsumerService/*</literal></term>
<listitem>
<para>Used by a servlet named AssertionConsumerService. Associated with the
FSAssertionConsumerService class. For more information, see the chapter on
<citetitle>Managing SAML 2.0 Federation in the Administration Guide</citetitle></link>.
</para>
</listitem>
</varlistentry>
<!-- Many of the following defined with the help of http://docs.oracle.com/cd/E19575-01/820-3886/ggwvp/index.html -->
<varlistentry>
<term><literal>/SOAPReceiver/*</literal></term>
<listitem>
<para>Used by a servlet named SOAPReceiver. Associated with the
FSSOAPReceiver class. SOAP endpoint that handles federation and specifies a URI to the SP.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/federation-terminate</literal></term>
<listitem>
<para>Used by a servlet named FederationTerminationServlet. Associated with the
FSTerminationInitiationServlet.java file, used to initiate termination of a federation
connection. The IDP will send the termination request to the associated URL.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/ProcessTermination/*</literal></term>
<listitem>
<para>Used by a servlet named ProcessTermination. Associated with the
FSTerminationRequestServlet class. The associated .java file is used when a request is
received by a remote SP.
<!-- I think remote SP, not 100% sure, per http://download.forgerock.org/downloads/openam
/javadocs/internal/com/sun/identity/federation/services/termination/FSTerminationRequestServlet.html-->
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/ReturnTermination/*</literal></term>
<listitem>
<para>Used by a servlet named ReturnTermination. Associated with the
FSTerminationReturnServlet class. The associated .java file is used to define a URL used by an
IP to send termination responses.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/InitiateRegistration/*</literal></term>
<listitem>
<para>Used by a servlet named InitiateRegistration. Associated with the
FSRegistrationInitiationServlet class. The associated .java file is used to handle the
registration request from a remote IDP.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/ProcessRegistration/*</literal></term>
<listitem>
<para>Used by a servlet named ProcessRegistration. Associated with the
FSRegistrationRequestServlet class. Processes registration requests from remote SPs.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/ReturnRegistration/*</literal></term>
<listitem>
<para>Used by a servlet named ReturnRegistration. Associated with the
FSRegistrationReturnServlet class. Defines a URL for IDPs to send registration responses.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/Liberty/*</literal></term>
<listitem>
<para>Used by a servlet named WSSOAPReceiver. Associated with the
SOAPReceiver class. Defines an endpoint that handles SOAP requests.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/WSPRedirectHandler/*</literal></term>
<listitem>
<para>Used by a servlet named WSPRedirectHandler. Associated with the
WSPRedirectHandlerServlet class. Used by the SP for user redirects.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/idffwriter, /saml2writer</literal></term>
<listitem>
<para>Used by a servlet with a matching name (idffwriter, saml2writer). Associated with the
CookieWriterServlet class. Used by the IDP to help the web container find app-specific info
such as Java classes or Java Archives (JARs).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/idffreader, /saml2reader</literal></term>
<listitem>
<para>Used by a servlet with a matching name (idffreader, saml2reader). Associated with the
CookieReaderServlet class. Used by the SP to help find the preferred IDP.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/multiprotocolrelay</literal></term>
<listitem>
<para>Used by a servlet named MultiProtocolRelayServlet. Associated with the
MultiProtocolRelayServlet class. Used as a RelayState to continue to the next protocol;
associated with a federation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/WSFederationServlet/*, /FederationMetadata/*</literal></term>
<listitem>
<para>Used by a servlet named WSFederationServlet. Associated with the
WSFederationServlet class. Used as a service endpoint for WS-Federation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/RealmSelection/*</literal></term>
<listitem>
<para>Used by am endpoint named realmSelection.jsp. Previously defined in the WS-Federation
JSP Endpoints section.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/saml2query/*</literal></term>
<listitem>
<para>Used by a servlet named saml2query. Associated with the QueryHandlerServlet class. The
corresponding .java file receives and processes SAML2 queries.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/federationws/*</literal></term>
<listitem>
<para>Used by a servlet named federationrest. Associated with the ServletContainer class. Does not
appear to be included in any current .java or .jsp file, so it may be a legacy endpoint.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/xacml/*</literal></term>
<listitem>
<para>Used by a servlet named XACMLContentAdapter. Associated with the XacmlContentHandlerService
class. Provides the main endpoint for all XACML requests. For more information, see the next
section on XACML 3 REST Endpoints.
<!-- Might need to split out into a separate section -->
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used by a servlet named OAuth2Rest. Associated with the RestTokenDispatcher class.
class. For more information, see the
the chapter on <link xlink:href="dev-guide#chap-rest"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Using RESTful Web Services</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used by a servlet named OAuth2RegisterClient. For more information, see the
the Administration Guide chapter on <link xlink:href="admin-guide#chap-oauth2"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Managing OAuth 2.0 Authorization</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/oauth2/*</literal></term>
<listitem>
<para>Used by a servlet named OAuth2RestletAdapter. Associated with the RestTokenDispatcher class.
For more information, see the chapter on
the chapter on <link xlink:href="dev-guide#chap-rest"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Using RESTful Web Services</citetitle></link>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>/json/*</literal></term>
<listitem>
<para>Used by a servlet named ForgeRockRest. Associated with the HttpServlet class.
For more information, see the chapter on
<link xlink:href="dev-guide#chap-rest"
xlink:role="http://docbook.org/xlink/role/olink">
<citetitle>Using RESTful Web Services</citetitle></link>.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="xacml3-rest-endpoints">
<title>XACML 3 REST Endpoints</title>
<indexterm>
<primary>Endpoints</primary>
<secondary>XACML 3</secondary>
<tertiary>REST</tertiary>
</indexterm>
<para>The endpoints described in this section, document the work that has been done to this time for XACML 3
REST endpoints. The descriptions are different from other endpoints in this chapter.</para>
<!-- Given the state of development of these endpoints, I would not object if we delete this section.
The "other XACML endpoints" are a reference to Jeff Schenk's notes on AME-928.
In addition, Jeff says that he's planning to set up a toggle to deactivate / activate XACML
endpoints. When that happens, I should add that info to this section. -->
<variablelist>
<varlistentry>
<listitem>
<para>Default endpoint. Provides the home document.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>XACML endpoint that provides the home document.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>XACML endpoint that provides status and home document.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Default POST endpoint, that sends a request from the Policy Enforcement Point (PEP).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>XACML POST endpoint that sends a request from the Policy Enforcement Point (PEP).</para>
</listitem>
</varlistentry>
</variablelist>
</section>
</chapter>