Using SAML Assertion Attributes in ForgeRock OpenAM – Episode 01/04 : Protecting a J2EE Application with ForgeRock OpenAM

This is first of four blog entries that aims at demonstrating how to use SAML Assertion Attributes in an Application protected by ForgeRock OpenAM. For the convenience of viewing, a thirty five odd minutes screen-cast has been split into four sections, the first of which is embedded on this blog post. While each entry talks of an independent facility in ForgeRock OpenAM, it makes sense to read/view them in the following order:

1. Protecting a J2EE Application with ForgeRock OpenAM
2. Configuring Federation in ForgeRock OpenAM
3. Configuring Transient Federation in ForgeRock OpenAM
4. Using SAMLv2 Assertion Attributes


As you can possibly make out from the illustration above, there are three Linux Containers being used in our demonstration, two of which runs an OpenAM instance each. A third Linux Container is used for installing a J2EE Application. The illustration captures the end state of this segment, where a J2EE Application is protected by an OpenAM J2EE Agent, making sure all client requests to it are intercepted by the Agent and redirected to the OpenAM for Authentication/Authorization.


4 thoughts on “Using SAML Assertion Attributes in ForgeRock OpenAM – Episode 01/04 : Protecting a J2EE Application with ForgeRock OpenAM”

  1. Hi Rajesh,

    Thank you for the tutorial that you shared for the scenario of protecting a J2EE aplication using ForgeRock.
    I followed the steps you indicated while having OpenAM to my local machine and the J2EE aplication to a remote machine.
    I managed to do all the steps correctly but I get in the end the “HTTP 403 – access denied” page.
    You indicated in the tutorial that you created ‘in the back stage’ configurations to enable policy for this J2EE application.
    Well, I do not manage to define this kind of policy.
    I modified the iPlanetAMWebAgentService to point to http://machine2ip:9080/myapp/*
    and then added a policy that:

    points to resource: http://machine2ip:9080/myapp/*
    has selected Actions: GET and POST with Allow action
    No Subject selected.

    Still, it does not work. The login fails with status 403.

    Can you please help me with this issue?

  2. Hi Rajesh,

    I am very much new to OpenAM. I am trying to run a sample programm and having following issue.

    I have configured OpenAM with default settings ( and J2EE Policy Agent on a different machine along with my web application using Tomcat. I have made the required changes in my application’s web.xml to intercept the request. The URL to access my application is
    Whenever I am accessing the url ‘’ through the browser it changes to ‘’ and openam login page appears. After submitting the credentials the page keeps on reloading and nothing gets displayed. What could be the potential reason?

    Also, could you please share some working j2ee code/example, if possible.

    Thanks in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *