OpenText™ Access Manager

Passwordless authentication
Version : 25.2
PDF Generated on : July 27, 2025

© Copyright 2025 Open Text

Table of Contents
1. Passwordless authentication 1

1.1. A sample scenario for passwordless authentication 3

1.2. Prerequisites for configuring passwordless authentication through OpenText Advanced 4

Authentication

1.3. Enabling passwordless authentication through OpenText Advanced Authentication 5

 Access Manager 25.2

1. Passwordless authentication
Passwordless authentication differs from traditional username and password-based
login systems. Instead of requiring users to remember and input a password, it uses
biometrics, one-time codes sent via SMS or email, or a physical security key.

Why passwordless authentication

Passwordless authentication provides several benefits, including:

Improved security: Eliminates the risk of weak or stolen passwords, thereby
reducing the risk of account takeovers and data breaches.
Increased convenience: Eliminates the need to remember complex passwords,
thereby reducing the risk of forgotten passwords and locked accounts.
Faster logins: Allows users to log in almost instantly through passwordless
authentication methods, such as biometrics or security keys.
Lightning-fast workstation logins: Allows employees to log in to their
workstations more quickly, increases productivity, closes security gaps, and
reduces frustration.
Reduced helpdesk calls: Eliminates the need to remember or reset any
passwords. The helpdesk team can focus on other crucial tasks.
Secure Payments with Reduced Friction: In addition to making the transaction
more secure, it reduces friction in the checkout process, leading to higher
conversion rates and better customer satisfaction.
Better compliance with regulations: Assists companies in meeting regulatory
compliance requirements, such as the General Data Protection Regulation
(GDPR).

How OpenText Access Manager supports passwordless authentication

You can configure passwordless authentication in OpenText Access Manager by

using one of the following features:
Kerberos authentication: For information, see Kerberos authentication.

This PDF was generated on July 27, 2025 Page 1 of 17

 Access Manager 25.2

Certificate-based authentication: For information, see Mutual SSL (X.509)

authentication.
Integration with OpenText Advanced Authentication: When integrated with
OpenText Advanced Authentication, OpenText Access Manager supports
passwordless authentication through one of the following methods:
FIDO2
FIDO U2F
Bluetooth
Smartphone
Facial Recognition
Fingerprint
Card (NFC)
PKI

Note
The plug-in-based integration does not support Bluetooth and Facial
Recognition methods.

This guide includes details and instructions for passwordless authentication using the
FIDO2 method of OpenText Advanced Authentication.

This PDF was generated on July 27, 2025 Page 2 of 17

 Access Manager 25.2

1.1. A sample scenario for passwordless

authentication
ABC bank wants to provide customers with secure and convenient access to their
online accounts. The bank does not want customers to remember and input a
complex password each time they log in to their banking accounts. In addition, it
wants to prevent the risk of intercepted credentials.
In this scenario, the bank implements the FIDO2-based Passwordless authentication
feature of OpenText Access Manager. Passwordless authentication improves the user
experience, increases security, and reduces the risk of account takeovers.
Maria is a customer of the bank. She wants to check her account balance and
transaction history on her cell phone. She has a FIDO2 security key. She performs the
following actions:
1. Opens the ABC mobile banking app.
2. Clicks the Log in with security key.
The system prompts her to insert her security key into USB-C port or NFC
reader.
3. Inserts the key and touches the button to confirm her identity.
The system verifies her identity and grants her access to her account without
requiring a password.

This PDF was generated on July 27, 2025 Page 3 of 17

 Access Manager 25.2

1.2. Prerequisites for configuring

passwordless authentication through
OpenText Advanced Authentication
OpenText Access Manager is installed and configured.
See OpenText Access Manager,installation and upgrade guide.

Advanced Authentication or Advanced Authentication as a Service is

installed and configured.
For information about how to install Advanced Authentication, see OpenText
Advanced Authentication Server Installation and Upgrade Guide.
For information about how to configure Advanced Authentication or
Advanced Authentication as a Service, see OpenText Advanced
Authentication Administration Guide.

An OpenText Access Manager administrator account is available.

An OpenText Advanced Authentication administrator account is available.

This PDF was generated on July 27, 2025 Page 4 of 17

 Access Manager 25.2

1.3. Enabling passwordless authentication

through OpenText Advanced
Authentication
Enabling passwordless authentication consists of the following tasks:
1. Integrating OpenText Advanced Authentication with OpenText Access Manager
2. Configuring passwordless authentication
3. Verifying the integration
4. End-users enrollment in the OpenText Advanced Authentication Self-Service
Portal

Integrating OpenText Advanced Authentication with

OpenText Access Manager
You can integrate OpenText Advanced Authentication with OpenText Access Manager
by using any one of the following approaches:
Plug-in-based approach
OAuth-based approach (Recommended)
For more information about these approaches and their differences, see
Implementation Approaches.
To integrate both products, you must first configure the OpenText Advanced
Authentication server and then configure the server details in OpenText Access
Manager.
Configuring the OpenText Advanced Authentication server
Configuring the OpenText Advanced Authentication server details in OpenText
Access Manager

Configuring the OpenText Advanced Authentication server

1. Log in to OpenText Advanced Authentication as an administrator.
2. Verify that the NAM event is available in Events.

This PDF was generated on July 27, 2025 Page 5 of 17

 Access Manager 25.2

Note
The NAM event is created by default when you install OpenText
Advanced Authentication. In a rare scenario, the NAM event is not
created by default. Re-installing OpenText Advanced Authentication
resolves the issue.

3. Set up a central user store that both OpenText Advanced Authentication and
OpenText Access Manager will use while authenticating a user. You can add a
new repository in the OpenText Advanced Authentication server or configure
details of an existing OpenText Access Manager user store.
If you add a new repository in OpenText Advanced Authentication, configure the
same repository when you Configure the OpenText Advanced Authentication
server details in OpenText Access Manager.
For more information about how to add a repository, see Adding a Repository.
4. Configure a method that supports passwordless authentication. For example,
configure FIDO2.
An OpenText Advanced Authentication method verifies the identity of a user
who tries to access resources.
For more information about how to configure a method, see Configuring
Methods.
5. Create a chain.
A chain is a combination of methods. A user must execute and succeed all
methods in a chain to be authenticated. Add the FIDO2 method that you
configured in the previous step. In Roles and Groups, assign the chain to the
user group configured in the repository.
For example, specify XYZ\Allowed RODC Password Replication Group , where
XYZ is the repository name.
For more information about configuring chains, see Creating a chain.
6. (Required only for the OAuth-based approach) Configure an event.

This PDF was generated on July 27, 2025 Page 6 of 17

 Access Manager 25.2

Important
In the plug-in-based integration, OpenText Access Manager uses the
default NAM event created during OpenText Advanced
Authentication installation.

Perform the following steps to configure an event:

1. Click Events > Add.
2. Specify a name for the event.
3. Select OAuth2 from Event type.
4. Select the chain you created in the previous step.

Note
You need the Client ID and Client secret while configuring the
OpenText Advanced Authentication server in OpenText Access
Manager. You cannot view the Client secret later, so you must
note the value.

5. In Redirect URIs, specify https://<identity server-url>:

<port>/nidp/oauth/nam/callback .
For example, if the Identity Server URL is
https://domain.example.com:8443/nidp , where domain.example.com is
the domain name, and 8443 is the port, specify
https://domain.example.com:8443/nidp/oauth/nam/callback .

Important
If your Identity Server base URL is on the standard SSL port
443, do not include the port number in the URI. For example,
https://domain.example.com/nidp/oauth/nam/callback .

7. (Required only for the Plug-in-based approach) Assign the created chain to the
NAM event in the OpenText Advanced Authentication server.
8. Continue with Configure the OpenText Advanced Authentication server details in
OpenText Access Manager.

This PDF was generated on July 27, 2025 Page 7 of 17

 Access Manager 25.2

Configuring the OpenText Advanced Authentication Server

Details in OpenText Access Manager
Before integrating OpenText Access Manager with OpenText Advanced
Authentication or OpenText Advanced Authentication as a Service, log in to the
Identity Server machine, go to /opt/novell/nam/idp/plugins/aa/ , and ensure that the
config.xml file does not exist in this location. Perform this check on all Identity
Server nodes.
1. On the Home page, click Identity Servers > IDP Global Settings > Advanced
Authentication.
2. Specify the following details:

Field Description

Server Domain Specify the scheme, domain name,

and port of the OpenText Advanced
Authentication server.

Tenant Name Specify the name of the tenant that

you want to use.
This field populates the TOP tenant
of OpenText Advanced
Authentication by default. You can
specify another tenant name that
you want to use.

Note
When using the Plug-in-based methods, skip to Step 5.

3. (Required only for OAuth-based approach) Select Integrate using OAuth under
OAuth Event Configuration.
4. (Required only for OAuth-based approach) Specify the following details:

This PDF was generated on July 27, 2025 Page 8 of 17

 Access Manager 25.2

Field Description

Event Name Specify an event name. This event

name must be identical to the event
name specified in the OpenText
Advanced Authentication
administration portal.

Client ID Specify the client ID generated while

creating the OAuth 2.0 event in the
OpenText Advanced Authentication
administration portal.

Client Secret Specify the client secret generated

while creating the OAuth 2.0 event in
the OpenText Advanced
Authentication administration portal.

OpenText Access Manager uses the endpoint links to retrieve token and user
details from the OpenText Advanced Authentication server. These are default
endpoint links. If the values of the URIs change because of modification of the
OpenText Advanced Authentication authorization server, then you can change
the same here.

This PDF was generated on July 27, 2025 Page 9 of 17

 Access Manager 25.2

Field Description

Authorization URL OpenText Access Manager uses this

URL to retrieve the authorization
code from the OpenText Advanced
Authentication server.

Token URL OpenText Access Manager uses this

URL to exchange the authorization
code with the access token.

User Info URL OpenText Access Manager sends

the access token to this URL to get
the user details from the OpenText
Advanced Authentication server.

The fields under Integration URLs are auto-populated after you specify the
server domain address.

Field Description

Enrollment Page URL If the user is not enrolled in the

OpenText Advanced Authentication
server, then OpenText Access
Manager uses this URL to redirect
the user to the enrollment page.

Sign Data URL OpenText Access Manager uses this

URL to retrieve the signed data from
the OpenText Advanced
Authentication server.

5. Click Save.

This PDF was generated on July 27, 2025 Page 10 of 17

 Access Manager 25.2

6. Log in to the Identity Server machine, go to /opt/novell/nam/idp/plugins/aa/ ,

and verify that the config.xml file is available in this location. Perform this
check on all Identity Server nodes.
7. Verify that the endpoint has been created in the OpenText Advanced
Authentication server.
Go to the OpenText Advanced Authentication administration portal and verify
that the hostname or domain name of the Identity Server Cluster is displayed as
the endpoint under Endpoints.
8. On the Home page, click Certificates > Trusted Roots to verify if the OpenText
Advanced Authentication server certificate is available.
If the certificate is not available, then perform the following steps to import the
certificate:
1. Click Certificates > Trusted Roots > Auto-Import From Server.
2. Specify the server IP/DNS, server port, and certificate name.
3. Click OK.
9. Configure the same user store or repository added in the OpenText Advanced
Authentication server. See Step 3.
1. On the Home page, click Identity Servers > [cluster name] > User Stores >
Plus icon.
2. Specify the details and click Finish.
3. Update Identity Server Cluster.
Skip this step if you have configured an existing OpenText Access Manager user
store in the OpenText Advanced Authentication server.
10. Continue with Configuring passwordless authentication.

Configuring passwordless authentication

Configure OpenText Advanced Authentication to perform the first-factor
authentication.
Configuring passwordless authentication using the OAuth-based approach
Configuring passwordless authentication using the plug-in-based approach

This PDF was generated on July 27, 2025 Page 11 of 17

 Access Manager 25.2

Configuring passwordless authentication using the OAuth-

based approach
Perform the following steps in OpenText Access Manager:
1. Configure an OpenText Advanced Authentication Generic class.
1. On the Home page, click Identity Servers > [cluster name] >
Authentication > Classes > Plus icon.
2. Under Advanced Authentication, select Advanced Authentication
Generic Class.
3. Specify the following details:

Field Description

Class Name Specify a name for the class.

Java class path Specify the java class path.

4. Click Next > Finish.

2. Create a method for this class.
1. On the Home page, click Identity Servers > [cluster name] >
Authentication > Methods > Plus icon.
2. In Advanced Authentication Chains, select the chain you created for
FIDO2.

Note
If no chain is available in Advanced Authentication Chains,
create a chain in the OpenText Advanced Authentication server.
If a chain is available in the OpenText Advanced Authentication
server and unavailable in Advanced Authentication Chains,
then assign the chain to the configured OpenText Access
Manager OAuth event in the OpenText Advanced
Authentication administration portal.

This PDF was generated on July 27, 2025 Page 12 of 17

 Access Manager 25.2

3. Create a contract for the method.

1. On the Home page, click Identity Servers > [cluster name] >
Authentication > Contracts > Plus icon.
2. In URI, specify a unique path value that identifies the contract. You can use
URI to identify this contract for external providers. For example, specify
/nam/AAgenericcontract or /mycompany/name/password/form .
3. In Methods, add the OpenText Advanced Authentication method created in
the preceding step.
4. Click Save.
5. Update Identity Server Cluster.

Note
For a seamless Identity Server redirection, configure a Custom Response
Header and add OpenText Advanced Authentication as an allowed source.
For more information, see Configuring a custom response header for an
Identity Server cluster.

Configuring passwordless authentication using the plug-in-

based approach
Perform the following steps in OpenText Access Manager:
1. Configure an OpenText Advanced Authentication class.
1. On the Home page, click Identity Servers > Authentication > Classes
Plus icon.
2. Under Advanced Authentication, select SMS Class.
3. Specify the following details:

This PDF was generated on July 27, 2025 Page 13 of 17

 Access Manager 25.2

Field Description

Class Name Name of the class.

Java class path Specify the Java class path.

4. Click Save >

2. Create a method for this class.
1. On the Home page, click Identity Servers > [cluster name] >
Authentication > Methods > Plus icon.
2. Specify a name for this method.
3. Select Identifies User.
4. In Advanced Settings, click the + icon, and configure the following
property:

Important
The name and the value of the property are case-sensitive.

Field Detail

Property Name Auth_Type

Property Value preAuth

For more information about creating a method, see Configuring

authentication methods.

This PDF was generated on July 27, 2025 Page 14 of 17

 Access Manager 25.2

Important
FIDO U2F does not work if enrollment and authentication are
performed on different domain names. With OpenText Access
Manager and OpenText Advanced Authentication, you have two
domain names: one for Identity Server and another for the OpenText
Advanced Authentication server.
To work around this, create proxy services for Identity Server and
OpenText Advanced Authentication server under the same domain
name. See Configuring a FIDO U2F.

3. Create a contract for the method.

1. On the Home page, click Identity Servers > [cluster name] >
Authentication > Contracts > Plus icon.
2. In URI, specify a unique path value that identifies the contract. You can use
URI to identify this contract for external providers. For example, specify
/nam/AAplugincontract or /mycompany/name/password/form .
3. In Methods, add the OpenText Advanced Authentication method created in
the preceding step.
4. Click Save.
5. Update Identity Server Cluster.
For more information about creating a contract, see Configuring
authentication contracts.

Important
End users must enroll the methods for passwordless authentication. See
End-users enrollment in the OpenText Advanced Authentication Self-
Service portal.

Verifying the integration

To verify that the integration is successful, create a dummy user account and enroll
one or more authenticators.
For information about how an end user enrolls to authenticators, see End-users
enrollment in the OpenText Advanced Authentication Self-Service portal.

This PDF was generated on July 27, 2025 Page 15 of 17

 Access Manager 25.2

Use this user account to access a protected resource by executing the contract
created in OpenText Access Manager.
Verifying the plug-in-based Integration
Verifying the OAuth-based Integration

Verifying the plug-in-based integration

Perform the following steps in OpenText Access Manager:
1. Create an OpenText Advanced Authentication class. You can use a Dynamic
class or any other class except the Generic class.
2. Create a method and include the class created in the previous step, add a
repository, and add the OpenText Advanced Authentication Enrollment URL
property.
Specify the URL of the OpenText Advanced Authentication portal for
authenticator enrollments.
For example:
URL of the portal when not protected by Access Gateway: https://<Advanced
Authentication hostname or IP address>/account
URL of the portal when Access Gateway protects Identity Server and OpenText
Advanced Authentication: https://<Access Gateway hostname>/account
3. Create a contract and add the OpenText Advanced Authentication method
(FIDO2) created in the previous step.
4. Using the account of the dummy user, access Identity Server or a protected
resource to which this contract has been assigned and execute this contract.
( https://<identity server-url>:<port>/nidp )
The user must be prompted to insert the security key into the USB-C port or
NFC reader and confirm the identity.
The user authenticates if the integration is successful.

Verifying the OAuth-based integration

Perform the following steps in OpenText Access Manager:
1. Create a class using the OpenText Advanced Authentication Generic class.

This PDF was generated on July 27, 2025 Page 16 of 17

 Access Manager 25.2

2. Create a method, add the class, and select the required chain in Advanced
Authentication Chains. For example, select FIDO2.
3. Create a contract. Add the OpenText Advanced Authentication method created
in the previous step.
4. Using the account of the dummy user, access Identity Server or a protected
resource to which this contract has been assigned and execute this contract.
( https:// <identity server-url>:<port> /nidp )
Identity Server redirects the login request to OpenText Advanced Authentication
OSP for the chain execution.
On the OSP page, select the chain you configured for FIDO2. The user must be
prompted to insert the security key into the USB-C port or NFC reader and
confirm the identity.
Authentication succeeds on the OSP page, and the user is redirected to Identity
Server or protected resource when integration is successful.

Enrolling end users in the OpenText Advanced

Authentication Self-Service portal
End-users must enroll all the methods of an authentication chain.
Users must perform the following steps to enroll authenticators:
1. Access the OpenText Advanced Authentication Self-Service portal.
URL of the portal when not protected by Access Gateway: https://<Advanced
Authentication hostname or IP address>/account
URL of the portal when Access Gateway protects Identity Server and OpenText
Advanced Authentication: https://<Access Gateway hostname>/account
2. Select a method from Add Authenticator to enroll.
For example, to enroll the FIDO2 method, select FIDO2, specify the email ID, and
click Save.

This PDF was generated on July 27, 2025 Page 17 of 17

 © Copyright 2025 Open Text

For more info, visit https://docs.microfocus.com