Skip to main content
Skip table of contents

Forgerock OpenAM

This is the procedure to integrate inWebo multi factor authentication service with "Forgerock OpenAM" authentication solution.


  • OpenAM version 13.0.0

  • SSOAdminTools

  • Tomcat 7

  • Oracle Sun JDK 1.7

  • (JCE) Unlimited Strength Jurisdiction Policy Files


Download the setup package here : Resources downloads#Connectors(plugins)

Follow the below steps to install the connector:

$ unzip package -d /tmp/openam-ui-inwebo
$ sudo cp /tmp/openam-ui-inwebo/edit-webapp/WEB-INF/lib/*.jar /path/to/tomcat/webapps/openam/WEB-INF/lib/
$ sudo cp /tmp/openam-ui-inwebo/edit-webapp/config/auth/default/* /path/to/tomcat/webapps/openam/config/auth/default/
$ sudo cp /tmp/openam-ui-inwebo/edit-webapp/js/* /path/to/webapps/openam/js/
$ sudo echo password > /tmp/pwd.txt
$ sudo chmod 400 /tmp/pwd.txt
$ sudo ssoadm create-svc -u amadmin --password-file /tmp/pwd.txt --xmlfile /tmp/openam-ui-inwebo/config/amAuthInWeboAuth.xml -v
$ sudo ssoadm register-auth-module -u amadmin -f /tmp/pwd.txt -a org.forgerock.openam.inwebo.InWeboAuth -v
$ sudo /etc/init.d/tomcat restart

$ echo "Only if you use new Login Page (XUI)"
$ sudo rm -rf /opt/tomcat/webapps/openam/XUI/*
$ sudo cp -R /tmp/openam-ui-inwebo/edit-webapp/XUI/* /path/to/webapps/openam/XUI/

Configuration proxy with tomcat and inWebo OpenAm

  1. edit /path/to/tomcat/bin/ and add:

export JAVA_OPTS="$JAVA_OPTS -Dhttp.proxyHost=localhost -Dhttp.proxyPort=3128 -Dhttp.proxyUser=proxyuser -Dhttp.proxyPassword=proxypass"

inWebo service configuration

Downloading a certificate for your service

  • Log in to the inWebo administration console.

  • Navigate to the appropriate service view.

  • Go to Secure Sites and click on the Download a new certificate for the API button.

  • Remember to set the Certificate Authentication option to Yes


Configuration of the inWebo Secure Site

To allow inWebo authentication on your OpenAM server page, you must add a new Web Service type secure site. To do so:

  • go to inWebo administration console→Secure Sites

  • add a new secure site of type Web Services connector

The format of the called URL should be:

http(s)://{OPENAM_HOST}/openam/UI/Login //if you are using the openAM UI
http(s)://{OPENAM_HOST}/openam/XUI //if you are using the openAM XUI

The default authentication form values are:

  • Form name: Login

  • Login field name: IDToken1

  • Password field name: IDToken2

1. With UI:

2. With XUI:

After the Browser token activation, record the "Bookmark Alias" (displayed here in green) for later use.

Configuration of inWebo connector in OpenAm

To configure inWebo authentication in OpenAM:

  • go to OpenAM Admin console and log in as 'amadmin'

  • navigate to {REALM}→Authentification→Modules

  • add new module with inWebo Authentication Type

Testing Configuration

To test the configuration, go to:

1. With UI (if XUI is disabled)

http(s)://{OPENAM_HOST}/openam/UI/Login?module=inWeboTest //if you are using the openAM UI

2. With XUI

http(s)://{OPENAM_HOST}/openam/XUI/#login/&module=inWeboTest //if you are using the openAM XUI

How to disable XUI

To disable XUI:

  • go to OpenAM Admin console and log in as 'amadmin'

  • navigate to Configuration→Authentication→Core→Global Attributes

  • uncheck the 'XUI Interface' attribute

UI Customization

To develop and customize the UI in a faster manner, disable the cache as follow:

  • go to OpenAM Admin console and log in as 'amadmin'

  • go to Configuration→Servers and Sites→Server Name→Advanced

  • set 'org.forgerock.openam.core.resource.lookup.cache.enabled' to false

NOTE: For production servers, leave the parameter set to the default value, true


To display debug information, goto

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.