This is the procedure to integrate inWebo multi factor authentication service with "Forgerock OpenAM" authentication solution.


  • OpenAM version 13.0.0

  • SSOAdminTools

  • Tomcat 7

  • Oracle Sun JDK 1.7

  • (JCE) Unlimited Strength Jurisdiction Policy Files


Download the setup package here : Resources downloads#Connectors(plugins)

Follow the below steps to install the connector:

$ unzip package -d /tmp/openam-ui-inwebo
$ sudo cp /tmp/openam-ui-inwebo/edit-webapp/WEB-INF/lib/*.jar /path/to/tomcat/webapps/openam/WEB-INF/lib/
$ sudo cp /tmp/openam-ui-inwebo/edit-webapp/config/auth/default/* /path/to/tomcat/webapps/openam/config/auth/default/
$ sudo cp /tmp/openam-ui-inwebo/edit-webapp/js/* /path/to/webapps/openam/js/
$ sudo echo password > /tmp/pwd.txt
$ sudo chmod 400 /tmp/pwd.txt
$ sudo ssoadm create-svc -u amadmin --password-file /tmp/pwd.txt --xmlfile /tmp/openam-ui-inwebo/config/amAuthInWeboAuth.xml -v
$ sudo ssoadm register-auth-module -u amadmin -f /tmp/pwd.txt -a org.forgerock.openam.inwebo.InWeboAuth -v
$ sudo /etc/init.d/tomcat restart

$ echo "Only if you use new Login Page (XUI)"
$ sudo rm -rf /opt/tomcat/webapps/openam/XUI/*
$ sudo cp -R /tmp/openam-ui-inwebo/edit-webapp/XUI/* /path/to/webapps/openam/XUI/

Configuration proxy with tomcat and inWebo OpenAm

  1. edit /path/to/tomcat/bin/ and add:

export JAVA_OPTS="$JAVA_OPTS -Dhttp.proxyHost=localhost -Dhttp.proxyPort=3128 -Dhttp.proxyUser=proxyuser -Dhttp.proxyPassword=proxypass"

inWebo service configuration

Downloading a certificate for your service

  • Log in to the inWebo administration console.

  • Navigate to the appropriate service view.

  • Go to Secure Sites and click on the Download a new certificate for the API button.

  • Remember to set the Certificate Authentication option to Yes


Configuration of the inWebo Secure Site

To allow inWebo authentication on your OpenAM server page, you must add a new Web Service type secure site. To do so:

  • go to inWebo administration console→Secure Sites

  • add a new secure site of type Web Services connector

The format of the called URL should be:

http(s)://{OPENAM_HOST}/openam/UI/Login //if you are using the openAM UI
http(s)://{OPENAM_HOST}/openam/XUI //if you are using the openAM XUI

The default authentication form values are:

  • Form name: Login

  • Login field name: IDToken1

  • Password field name: IDToken2

1. With UI:

2. With XUI:

After the Browser token activation, record the "Bookmark Alias" (displayed here in green) for later use.

Configuration of inWebo connector in OpenAm

To configure inWebo authentication in OpenAM:

  • go to OpenAM Admin console and log in as 'amadmin'

  • navigate to {REALM}→Authentification→Modules

  • add new module with inWebo Authentication Type

Testing Configuration

To test the configuration, go to:

1. With UI (if XUI is disabled)

http(s)://{OPENAM_HOST}/openam/UI/Login?module=inWeboTest //if you are using the openAM UI

2. With XUI

http(s)://{OPENAM_HOST}/openam/XUI/#login/&module=inWeboTest //if you are using the openAM XUI

How to disable XUI

To disable XUI:

  • go to OpenAM Admin console and log in as 'amadmin'

  • navigate to Configuration→Authentication→Core→Global Attributes

  • uncheck the 'XUI Interface' attribute

UI Customization

To develop and customize the UI in a faster manner, disable the cache as follow:

  • go to OpenAM Admin console and log in as 'amadmin'

  • go to Configuration→Servers and Sites→Server Name→Advanced

  • set 'org.forgerock.openam.core.resource.lookup.cache.enabled' to false

NOTE: For production servers, leave the parameter set to the default value, true


To display debug information, goto