what is the impact of modifying openAM Authentication Settings (user Profile)

Question

we use OpenAM version 13.0.0

what is the impact of modifying User Profile from required to Dynamic or Dynamic with an alias?

realms->authentication->settings

is this will affects SSO SAML or normal login for the admin user.

Answer 1

Based on the NameID format being used it will affect SAML SSO. It does not affect authentication for the super user 'amadmin'. The purpose for this setting is security. If the actual source for authentication has a different account/identity base as OpenAM, e.g. a RADIUS server. It may include accounts for network operators that are not allowed to use 'Access Management', nevertheless you may use it as authentication method for OpenAM. To guarantee that only 'known' identities are allowed to use 'Access Management', you set 'User Profile' to 'required'. Then OpenAM will perform a 'profile lookup' in the configured user data stores after the actual authentication (via RADIUS) happened. Unfortunately OpenAM has always set this as default, even when 'datastore' authentication is configured .... this does not make sense as the source for authentication is the same as for identities. Unfortunately the concept has not been widely known, hence 'User profile' setting is also leveraged by other part of the code, although it's totally unrelated.