From Wikipedia, the free encyclopedia
Initial releaseNovember 11, 2008 (2008-11-11) (OpenSSO)
February 7, 2010 (2010-02-07) (Forgerock OpenAM)
March 1, 2018 (2018-03-01) (OpenAM Community)
Stable release
Release 14.8.1 [1] / October 31, 2023 (2023-10-31)
Written inJava
Operating systemLinux, Solaris, Windows, Mac OS, AIX
Available inEnglish, French, German, Spanish, Japanese, Korean, Simplified Chinese and Traditional Chinese
TypeIdentity and access management

OpenAM is an open-source access management, entitlements and federation server platform. Now it is supported by Open Identity Platform Community.[2]

OpenAM (Open Access Management) originated as OpenSSO, (Open Single Sign-On) an access management system created by Sun Microsystems and now owned by Oracle Corporation. OpenAM is a fork which was initiated following Oracle's purchase of Sun.


Announced by Sun Microsystems in July 2005,[3] OpenSSO was based on Sun Java System Access Manager, and was the core of Sun's commercial access management and federation product, OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager).

In July 2008, Sun announced paid support for regular "Express" builds of OpenSSO. Sun's stated intent was that express builds would be released approximately every three months, allowing customers early access to new features.[4]

In September 2008, Sun announced OpenSSO Enterprise 8.0, the first commercial product derived from the OpenSSO project.[5] OpenSSO Enterprise 8.0 was released in November 2008.[6]

OpenSSO Enterprise won the "Security" category of the Product of the Year 2009 awards.[7]

In May 2009, shortly after Oracle's acquisition of Sun was announced, OpenSSO Enterprise 8.0 Update 1 was released.

Oracle completed their acquisition of Sun Microsystems in February 2010, and shortly thereafter removed OpenSSO downloads from their website in an unannounced policy change. OpenSSO was forked as OpenAM, developed and supported by ForgeRock.[8]

ForgeRock announced in February 2010 that they would continue to develop and support OpenSSO from Sun now that Oracle had chosen to discontinue development on the project.[9] ForgeRock renamed the product to OpenAM as Oracle retained the rights to the name OpenSSO. ForgeRock also announced that they would continue delivering on the original Sun Microsystems roadmap.[10][11] It was sponsored by ForgeRock until 2016.[12][13]

In November 2016, without any official statement, ForgeRock closed OpenAM source code, renamed OpenAM to ForgeRock Access Management and began distributing source code under a paid, commercial license.[12]

Several free and open-source forks of OpenAM now exist under the Common Development and Distribution License:

  • The Open Identity Platform Community, which has opted to carry on the OpenAM Community name now that ForgeRock has re-branded the commercial product.
  • The Wren Security community, which has opted to re-brand OpenAM to "Wren:AM" to avoid conflict with ForgeRock's original product.


OpenAM supports the following features:[14]

OpenAM supports more than 20 authentication methods out-of-the-box. OpenAM has the flexibility to chain methods together along with Adaptive Risk scoring, setup Multi-factor authentication or to create custom authentication modules based on the JAAS (Java Authentication and Authorization Service) open standard. Integrated Windows Authentication is also supported to enable a completely seamless, heterogeneous OS and Web application SSO environment.
OpenAM provides authorization policy from basic, simple, coarse-grained rules to highly advanced, fine-grained entitlements based on XACML (eXtensible Access Control Mark-Up Language). Authorization policies are abstracted from the application, allowing developers to quickly add or change policy as needed without modification to the underlying application.
Adaptive risk authentication
The adaptive risk authentication module is used to assess risks during the authentication process, and to determine whether to require that the user complete further authentication steps. Adaptive risk authentication determines, based on risk scoring, whether more information from a user is required when they log in. For example, a risk score can be calculated based on an IP address range, access from a new device, account idle time, etc., and applied to the authentication chain.
Federation services securely share identity information across heterogeneous systems or domain boundaries using standard identity protocols (SAML, WS-Federation, OpenID Connect). Quickly set up and configure service provider or cloud service connections through the Fedlet, OAuth2 Client, OAuth2 Provider, or OpenIG Federation Gateway. The OpenIG Federation Gateway is a component of OpenAM providing a SAML2 compliant enforcement point and allows businesses to quickly add SAML2 support to their applications with little to no knowledge of the standard. In addition, there is no need to modify the application or install any plugin or agent on the application container. Out-of the-box tools enable simple task-based configuration of G Suite, ADFS2, along with many other integration targets. OpenAM can also act as a multiprotocol hub, translating for providers who rely on other, older standards. OAuth2 support is an open standard for modern federation and authorization, allowing users to share their private resources with tokens instead of credentials.
Single sign-on (SSO)
OpenAM provides multiple mechanisms for SSO, whether the requirement is enabling cross-domain SSO for a single organization, or SSO across multiple organizations through the Federation Service. OpenAM supports multiple options for enforcing policy and protecting resources, including policy agents that reside on web or application servers, a proxy server, or the OpenIG (Identity Gateway). OpenIG runs as a self-contained gateway and protects web applications where installing a policy agent is not possible.
High availability
To enable high availability for large-scale and mission-critical deployments, OpenAM provides both system failover and session failover. These two key features help to ensure that no single point of failure exists in the deployment, and that the OpenAM service is always available to end-users. Redundant OpenAM servers, policy agents, and load balancers prevent a single point of failure. Session failover ensures the user's session continues uninterrupted, and no user data is lost.
Developer access
OpenAM provides client application programming interfaces with Java and C APIs and a RESTful API that can return JSON or XML over HTTP, allowing users to access authentication, authorization, and identity services from web applications using REST clients in their language of choice. OAuth2 also provides a REST Interface for the modern, lightweight federation and authorization protocol.

See also[edit]


  1. ^ "OpenAM Downloads". GitHub.
  2. ^ "Open Identity Platform Community". GitHub.
  3. ^ "Sun Microsystems Extends Leadership Position in Identity Management — First Vendor To Open Source Web Single Sign-On Technology". Sun Microsystems. 2005-07-13.
  4. ^ "Sun Microsystems Announces Sun OpenSSO Express". Sun Microsystems. 2008-07-23.
  5. ^ "Sun Microsystems Unveils OpenSSO Enterprise — Next-Generation Access Management, Federation and Secure Web Services Solution". Sun Microsystems. 2008-09-30.
  6. ^ "Sun OpenSSO Enterprise 8.0 Revenue Release (RR) is official". Sun Microsystems. 2008-11-11.[permanent dead link]
  7. ^ "Winners of the Product of the Year 2009 Are Announced". 2009-01-14. Archived from the original on 2011-12-13. Retrieved 2016-08-28.
  8. ^ "Oracle kills OpenSSO Express - ForgeRock steps in". The H. 24 February 2010. Archived from the original on 8 December 2013.
  9. ^ "ForgeRock Extending Sun's OpenSSO Platform - InternetNews".
  10. ^ OpenSSO, neglected by Oracle, gets second life Archived 2012-10-15 at the Wayback Machine
  11. ^ "ForgeRock Picks Up Sun's Open Source Identity - Datamation".
  12. ^ a b "ForgeRock has shuttered the open-source community, and no longer allows new development on their platform under a permissive license". timeforafork. June 1, 2017. Archived from the original on 2017-10-03. Retrieved 2022-11-01.
  13. ^ "OpenAM product no longer being publicly developed by ForgeRock".
  14. ^ "ForgeRock Access Management (OpenAM fork)".

External links[edit]