Skip to end of metadata
Go to start of metadata


Although ForgeRock OpenAM has included multi-factor authentication capability, OpenAM can also integrate with pre-existing solutions such as those from Symantec.  This paper will describe how to configure OpenAM to an Symantec deployment.  


Authentication Process for User Name + Password + Security Code Authentication Method

  1. The user enters a user name, password, and a security code. 

  2. As the first part of the two-factor authentication, ForgeRock OpenAM sends the user name, password, and the security code to the Validation Service
  3. The Validation Service authenticates the user name and the password against the user store OpenDJ or Active Directory.

  4. As the second part of the two-factor authentication, the Validation Service authenticates the user name and the security code with the VIP Authentication Service.

  5. If the user name and the security code are authenticated, the Validation Service returns an Access Accept authentication response to ForgeRock OpenAM

Step 1: Prerequisites and Assumptions

Assumption: Symantec VIP and Validation Services have been installed and configured per Symantec instructions.

Install JDK 1.8, Tomcat per their recommendations

It is assumed the FQDN for both instances is   These would not need to be the same in real world just used to make easy test environment.

OpenAM Installation video:

Step 2: Configure OpenAM RADIUS Authentication Module

Create an authentication module of type RADIUS


Step 3: Test Authentication Module

Attempt access using the module directive such as:
Launch VIP mobile application,and acquire the One-Time Password (OTP) from VIP.
Password+secret as sent to mobile app will be entered into credentials fields of the OpenAM Login interface
example:  MyP@ssword661157 where MyP@ssword is the password in the LDAP server and 661157 is the OTP returned from the mobile application

  • No labels