NAMCookieAuth for NetIQ Access Manager v1.0


This authentication class for NetIQ Access Manager allows for "persistent logins", "long authentication sessions", or "remember my password" functionality. When used, this authentication class will store an encrypted cookie on the browser after a successful login. The next time a user would be prompted for authentication, this class will re-use the authentication cookie instead of prompting the user for credentials. If the user's password expires or changes, or the MaxAgeSeconds time expires, the user will be required to supply credentials again.


  1. Copy the NAMCookieAuth.jar file to all IDP server's in the nidp/WEB-INF/lib directory. The actual location will vary depending on OS and NAM version. Searching for "nidp.jar" should reveal the correct location.

  • Create a new class in the NAM admin console. IDP Cluster -> Edit -> Local -> Classes -> New.

    1. set the DisplayName to "NAMCookieAuth"

  • set the Java class to "Other"

  • set the Java class path to "com.novell.jrivard.nam.cookieauth.NAMCookieAuth"

  • Create a method and contract utilizing the new class as appropriate.

  • Edit your "login.jsp" (in nidp/jsp directory) or whatever custom login pages you may have.

    1. add the following HTML somewhere in the <form> tags on the page:

<input type="checkbox" name="EnableCookieAuth" value="true" /> Remember Me

==Class Properties==
CryptoKey | If present, this key is used to encrypt the user's credentials in the cookie. The longer
| and more random this value is, the more secure the credentials will be. The value must be at least
10 characters. If not present, the IDP's encryption certificate key will be used instead.
CookieName | Name of the cookie stored on the browser. Default is "PERSISTENT_AUTH"
CookiePath | Path of the cookie stored on the browser. Default is "/nidp"
MaxAgeSeconds | Amount of seconds the cookie is valid for. Default is 2592000 (30 days).
ParamName | The name of the Http Parameter to enable this feature. The default is "EnableCookieAuth"
MatchSrcAddress | If false, do not authenticate a user using a different source network address then when the
| original authentication occurred. Default is true.


With this class in use, The user will be unable to "logout" of the system in any practical way because re-accessing any protected page will simply re-authenticate the user using the browser stored credentials. There are at least two ways to invalidated an outstanding browser stored authentication cookie. The first is to change the user's password. A second is to clear the stored cookie from the browser.

Because the cookie can only be cleared by a request to a page on the server that issued it, there must be a page on the IDP server that can clear it. This is the purpose of the clearCookieAuth.jsp. To utilize this page, copy it to the IDP server's /nidp directory (not the jsp directory). The url for this page will be Any requet to that url will clear the authentication cookie.

You can have logout page redirect to this page, or have an <iframe> that references if desired. You may also wish to customize this jsp to provide login links or instructions to your user.


How To-Best Practice
Comment List