Merry Christmas, Happy Holidays & a great New Year 2021!

At the outset, let me hope you and yours are at a very safe distance from the COVID 19 chaos. Perhaps for the first time in the last several years, we may own a diary that might have similar entries for almost the entire year to which we bid farewell in another fortnight. Largely confined to the comforts of home, exploring the world that’s within us than the one outside, most of us have had to go through several first of its kind emotions and life experiences, which hopefully will stay as a unique hallmark to the Year 2020.

It’s folly to imagine a celestial rearrangement on the wake of a New Year that’d put the invisible creature that grounded us for the year in its entirety out of action. Several hundred thousands of our brave fellow beings across the globe have put their life on the line in serving those who were infected; many others have worked hard round the clock to help produce a remedy to this unprecedented pandemic situation. Their Herculean efforts shall yield positive results sooner, enabling us to set our social life in motion again. That’s our biggest hope for the New Year 2021!

In the ‘half-filled glass’ scheme of things, this might be one of those rare New Year occasions, when our personal goals take a backseat on our New Year resolution list, giving way to the welfare of humanity at large!

The festive season, like every year, brings with it an opportunity to remind oneself of the beautiful treasures in life, the prominent of which to me is your glorious company and strong influence in my life. I stay eternally grateful for that. Thank you!

Exercising all precautions to stand against the spread of CORONA virus, as we step into the holiday season, here’s wishing you and yours a very Merry Christmas, happy holidays and a great New Year 2021!

–R Rajesh

Joyous Season, memorable holidays and an amazing Year 2020!

In the month of September this year, during the early hours on a Friday, at a busy Coimbatore – Salem highway, the chauffer who was driving us from Kochi to Bangalore collapsed, losing complete control of his vehicle.  Being in a “self-driving car” non-powered by any Artificial Intelligence was first of its kind experience for me and hopefully, one off its kind too. For almost a minute the car traced zigzag on the highway, occasionally hitting the road divider and eventually crashing on to it. Like every other event in my life, I owe it to God that I’m alive to strike a conversation with you on yet another festive season.

That one minute, which seemed an eternity had me staring at a blurred line that separated life and death. Post the event, for several days at stretch I couldn’t help but reflect on the aforesaid incident from various angles, only to realise that being alive is one’s greatest fortune and if that’s amid goodness of other fellow beings, it’s indeed a generous bonus. With no second thought, let me say, human relations are what matters to me the most, perhaps more than ever before.

When our driver regained his consciousness almost immediately after the incident, he recounted how he gently took his foot off the accelerator when his vision went blurry, bringing the speed of his car down substantially. Off the top of my head, I fail to find a Year before Twenty Nineteen that brought me enormous material gains. But had the driver unconsciously put his foot down on the gas pedal, the outcome on that eventful Friday in September 2019 would have been entirely different, and all my material achievements some meaningless affairs. I’m all the more convinced that the most valuable wealth that I’m in possession of is one-hop access to kind hearted individuals like you, instrumental in shaping my blissful destiny. Thank you!

We are a few days shy of another brand New Year, but I wouldn’t spend a minute drafting resolutions that I hardly follow through, instead would gratefully remind myself of the richness of your company; also celebrate the fact that I continue to exist to live life.

When I turned off the phone alarm at 4:00 in the morning, the screen displayed the day and date as Friday, 13 September. I stay away from all sorts of superstitions, still my mind suggested something terrible was to happen, and so it did! Since then I’ve learned it’s a far better option to make positive suggestions to the subjective mind and expect only favourable events to unfold and so it will. The New Year 2020 sounds so cool; let’s all put together some positive mental images of life events that’ll bring glory, peace, harmony and joy in everyone’s life in the coming year.

As always, with immense gratitude, here’s wishing you & your loved ones a joyous season, memorable holidays and an amazing Year 2020!

–R Rajesh


I’m blessed to have known you. Can’t thank you enough for coming by this space to lend me your ears for a few moments, perhaps not the first time, if we’ve known each other for over a year. It has become a habit to scribble away a few thoughts at the fag end of the Year, which if there was an option, I would have preferred it to be a face-to-face, heart-to-heart dialogue. The retrospective mood that most of us get into at this time of the year, and the hopes we raise for a more promising future spanning next twelve months, I reckon, makes this juncture the most suitable one to touch base, renew and strengthen our link.

Historically, my New Year resolutions never yielded me six pack abs, fattened savings or sought-after skills on the CV. The knowledge and importance of a reasonable fitness regime, prudent spending and new life skill acquisitions don’t get granted any special powers on the first of January every year to be able to promptly translate into actions. We can give a shot at any noble goal at any part of the year. So of course, I’m not really building my hopes around a new calendar that’ll soon find its place on my wall, and will continue to stay open to everything that life has in offer, be it in Winter, Spring, Summer or Autumn.

But there’s something about the chilly weather, the street side illuminations, the Christmas Carols and Caravans that reminds me of all the good things that ever happened to me in my life. Without a doubt, the one that I cherish the most are the contacts that I happened to make with good-hearted souls like you, the fun we had, and the lessons learned from it. To the unseen force that made it all happen, I stay eternally grateful. 

So, with another year almost behind us, and a new one beckoning, just when we all take a relatively long pause to take stock of bygone events, realign future goals, recharge our batteries, reconnect with the wonderful humans surrounding us, I don’t want to miss an opportunity to repeat like a parrot that our relationship matters to me hell of a lot and that I wouldn’t have been what I’m today but for your kindness and affection. New Year resolutions hardly worked for me in the past but reconnecting with you have always made me happy. I feel tremendously thankful for your company and look forward to another great year that’ll put me in close contact with many more guiding souls like you.

Here’s wishing you from the bottom of my heart, Season’s Greetings, Happy & Memorable Holidays, a very Merry Christmas & a Grand New Year 2019!

Season’s Greetings & New Year 2018 Wishes

Thank you for stopping by. Spare me a few minutes, if you will, perhaps one last time this Calendar Year. Likely, the title of this essay has given it away on what to expect in this write up. It’s definitely that, but not just that.

I had the practice too of preparing a ‘To Do’ list with things ought to be done at the dawn of a New Year and to follow through with for the rest of my life. Most of what’s in it was not too different from the very commonly found New Year resolutions such as to spend smartly, acquire & maintain new life skills, strike an awesome work–life balance and to achieve an envious nearly perfect WHR. It all consistently fell flat, though, well ahead of the Blue Monday of New Year, and thereafter the frictional force of ‘what-the-hell’ effect applying sudden brake on will power, flagging everything in the ‘To Do’ list as “pending”, only to be picked up again afresh and rather unchanged roughly eleven months later. I’ve made up my mind, therefore, not to fall into the trap of imagining that with a change of calendar comes a new order in life. Instead, it’s the very famous five minute rule that I fall back on, every time I’m inspired to do new and noble things in life. Now, that is not to say I hate to reflect on the glory days of life and lessons learned in a dozen months’ time during the fag end of the year and do all that’s possible to stay optimistic for a better year ahead. I love this joyous season and all its celebrations just like most of you, for sure.

While I extend to you my sincere good wishes for all your grand endeavors in the year to come, I realise you are wiser to hit a gymnasium right now if you wish to, and go into the New Year one pound or half less, than having to wait another week, rather adamantly, bringing about an all important change in life only with a new calendar in place.

I asked for your time, prominently, to let you know how grateful I’m for having been able to establish a contact with you, more so for all the great life changing learnings from it. Thank God for setting up a channel for our link and helping it from weakening away over time. At minimum, I feel so humbled by the the immense generosity, kindness and affection showered on me by you and many others on occasions innumerable. Going into the New Year, having you around just a call away, I believe, is the greatest asset I happen to be blessed with. The occasions such as New Year is just a convenient excuse for me to reach out to tell you how much our relationship means to me, and how grateful I feel for the same. Thank you so much for being there, especially on occasions when it mattered.

I’d be failing in my duty if I take this note to conclusion without extending you my best wishes for a great holiday season and a New Year to follow. I mean it from my heart when I say, I almost always include you in my prayers and here’s wishing you & your loved ones cherishing holiday memories, a great festive season, and a fantabulous Year 2018.





–R Rajesh

Micro Focus Partner Enablement Session – NetIQ Identity Manager

An eight day marathon Micro Focus Partner Enablement session on NetIQ Identity Manager concluded this evening at Bangalore. As much as it was an engaging experience to have gotten a chance to discuss contents of the following three Micro Focus courses on NetIQ IDM, with an enthusiastic bunch of folks around there wasn’t any shortage of fun either. Grateful to each of ’em who attended this program for their active participation and co-operation.

NetIQ Identity Manager Administration
NetIQ Identity Manager Advanced Administration
NetIQ Identity Manager Customization

Go here to know more about Micro Focus Partner Program.

NetIQ Access Manager & Advanced Authentication Partner Enablement

Last week, I happened to meet the following folks from Micro Focus partner community for an enablement program on NetIQ Access Manager & NetIQ Advanced Authentication Framework. I hope the five days that they spent with me at the Micro Focus has given them some insights on the Micro Focus Access Management Solution. I would wish to take this opportunity to also them for their co-operation and active participation and wish them all the best!

If you’d like to know more about the Micro Focus Partner program, please click here.
If you are already signed up as a Micro Focus partner, login here to access a large number of useful resources including training sessions on the various product offerings from Micro Focus.

NetIQ Access Manager 4.2 Integration with Advanced Authentication 5.4 for Multi Factor Authentication

The following screen-cast demonstrates the integration of NetIQ Access Manager 4.2 SP2 with NetIQ Advanced Authentication Framework for Multi Factor Authentication using Email OTP.

Special thanks to my colleagues Anupkumar Rajan & Ravi Kiran Jayanthi for helping me get some of the basics right on the Micro Focus Access Management products.

I hope some you’d find the screen-cast useful. Enjoy!

Useful links:
Micro Focus Home Page
NetIQ Access Manager Product Page
NetIQ Advanced Authentication Framework Product Page
NetIQ Products download Page
NetIQ Access Manager Documentation Page
Advanced Authentication Plugin for NetIQ Access Manager [Not required for NetIQ Access Manager 4.3]

Season’s Greetings and Advance New Year 2017 Wishes

Either we know each other fairly well, so you were ushered here to read what I’ve written, or maybe you got dropped here quite accidentally, browsing away the World Wide Web. Either way, grateful for coming by.

For more than a decade, I’ve diligently followed the ritual of publishing here a note, just around this time of the year when we’ve at hand a brand new calendar waiting to occupy our desk. It’s astonishing how fast time flies, as memories of scribing something similar a year ago is still so vivid. Life wasn’t in anyway stagnant between then and now and so do I presume it was for you too. Changes I’ve had in my life over the last dozen months are of scale so massive that a pause beckons to reflect, more so to digest it.Glad, we get a ‘new beginning’ once every twelve months (or at least we believe so).

It’s that time of the year when we feed ourselves with a double dose of optimism and may have in possession a long list of resolutions that we so hope to get right finally. Personally, I’ve almost always failed to live upto my own agenda crafted on occasions as similar as this, so it’s common sense not to anticipate a perfect life transformation, just because I’ll soon have a new blank diary to journal life’s events. As such it’s hard to envisage flying cars and celestial rearrangements featuring on the opening page of my new diary, therefore I’d prefer to believe that life’s not going to be too different next year too. I do pray for the wisdom to remain open to learn from all lessons that life has in offer.

Nothing inspires me more than the human endeavours and all the hard work that goes into it. So be assured, I’ll continue to root for you for every noble goal that you have aimed to conquer. All the same, I do expect that if you desire to learn to swim, you’d jump into a pool NOW (under supervision) than wait for the New Year Celebrations to conclude. As always, wishing you the best!

I’m happy to know you and thankful to learn from you. I thank God constantly for every single opportunity that has come on my way, prominently the ones that connected us. And occasions such as New Year are excuses for me to get back talking to you and to sincerely thank you for being there for me. I know the New Year 2017 is still some days away. I did have a choice to wait until I grab my new diary to reach out to you for expressing my gratitude or to follow the dictates of my heart of doing it right”Here & Now”. Well, that was easy. As they say, “For Good things, delay not,” not certainly till the dawn of a New Year. From the bottom of my heart, thank you for everything you’ve done for me, and here’s wishing you Wonderful Holidays, Very Merry X’mas and a Happy & Prosperous New Year 2017!

Getting Familiar with OpenLDAP

I made some video tutorials on OpenLDAP a couple of years ago. It was my humble attempt to help all those interested to familiarize with the LDAP concepts, more specifically OpenLDAP. Lazy me, it took a while for me to organize those videos into a YouTube playlist that you see embedded below:

All learning in there is done by doing. If any of you find some information useful in it, I’d consider my efforts to have not gone in vain.

Getting Started with MySQL

Seven years ago, I had written about my experience of Taming Sakila and since then I’ve had the pleasure and privilege of discussing the world’s most popular open source Database in Oracle University classrooms for some years. While those sweet memories remain, I was a bit restless for ignoring requests from a few of my friends in helping them learn the basics of MySQL. And today, I’m happy to have been able to produce some screen-casts on helping my friends (and all those interested) get started with the MySQL Database. Over a dozen videos that are on the YouTube playlist ‘Getting Started with MySQL’ – embedded below- might just be sufficient to start learning MySQL. For a more detailed study, I’d stronly recommend the training programs on MySQL or the official MySQL documentation.

I hope some of you find these videos useful.

KuppingerCole’s Latest Access Management and Federation Leadership Compass – It’s ForgeRock all the way!

In KuppingerCole’s 2016 Access Management and Federation Leadership Compass, ForgeRock makes it to the top of the list in each of the report’s four categories: Product, Market, Innovation and Overall.

Read the official press release here. To get access to the report, try this link.

Open Identity Tech Talks 2016 – Asia Pacific

ForgeRock is hosting the 2016 Asia Pacific Open Identity Tech Talks. To join these informal conversations on latest trends in digital identity tech, across apps, devices and connected things register at the URL as mentioned below. Hurry up, the seats are limited!

Open Identity Tech Talks 2016 – Asia Pacific

Addendum to ForgeRock Full Stack Configuration – Using ForgeRock OpenIG

This is an extension of an earlier post that demonstrated ForgeRock Full Stack Configuration, comprising OpenDJ, OpenAM and OpenIDM. In here we’ll plug in ForgeRock OpenIG to route traffic to/from OpenAM and OpenIDM. In the video log that follows, you’ll see:

– All urls that hit OpenIG, containing a string ‘openam’ getting redirected to OpenAM URL
– All urls that hit OpenIG, that does not contain the string ‘openam’ getting redirected to:

  1. OpenAM for Authentication if there is no valid User session and then on to OpenIDM UI
    2. OpenIDM UI if there is a valid User sessionOpenIDM UI

So here’s the extended illustration


Now on to the video.Enjoy!

ForgeRock OpenAM – Configuring Different Realms to Use Different BaseDNs of an OpenDJ Instance as Identity Repository

The short video log that follows was prepared to answer a question raised in the Forum on the ForgeRock Community Website. It’s an easy one on how to configure two separate BaseDNs of single ForgeRock OpenDJ instance as Identity Repository for two separate Realms in ForgeRock OpenAM.


Scripted SQL Connector in ForgeRock OpenIDM 4

ForgeRock Identity Management solution includes generic Groovy Connector Toolkit that enables you to run Groovy scripts on any external resource. You can read more about it here. Lifted verbatim from the OpenIDM 4 documentation mentioned above:”To facilitate creating your own scripted connectors with the Groovy Connector Toolkit, OpenIDM provides a scripted connector bundler. ” I followed Instructions in there (as well as in the README file of the ‘sample3’ in OpenIDM installation directory), to build a ScriptedSQL Connector to connect OpenIDM to a MySQL Database and my Video Log is below:


Configuring Password Validator in ForgeRock OpenDJ 3

– How do we set a Minimum/Maximum Password length in ForgeRock OpenDJ?
– How do we impose the Users to use certain Special characters in their OpenDJ password?
– How do we have the Users use a alphanumberic string as their OpenDJ password?
– How do we create a Custom Password Validator (one that validates a Password against certain rules as the ones above)?

Well if these questions bother you, just like it happened to a friend of mine a day ago, the following video might help get some answers:

Related Videos/Documentation:
ForgeRock OpenDJ Documentation on Password Policy
ForgeRock OpenDJ Password Policy Part I – Service Based Password Policy [Video]
ForgeRock OpenDJ Password Policy Part II – Sub Entry Based Password Policy [Video]

ForgeRock Full Stack Configuration

If you’re in a hurry to know what each of the ForgeRock Identity Platform Components is meant to do, try the Full Stack Configuration. In just over fifteen minutes, you’ll see:

– Installation of ForgeRock OpenDJ
– Deployment of ForgeRock OpenAM
– Configuration of OpenDJ as an Identity Repository in ForgeRock OpenAM
– Installation of ForgeRock OpenIDM
– Configuring OpenDJ as External Resource in OpenIDM
– Running a reconciliation in OpenIDM from OpenDJ
– Provisioning a User from OpenIDM to OpenDJ
– Using OpenAM as the Authentication Module for OpenIDM

With a much awaited weekend around the corner, I couldn’t really get over the laziness to create a better illustration than the one below to help visualize what’s mentioned above.


Please watch it, if you have some time. Enjoy!

Thanks: ForgeRock Product Documentation

Deploying a Highly Available ForgeRock Identity Management Solution

We have already discussed on this space the installation of ForgeRock Identity Management Solution and further configuring a Database as its repository. But in those discussions, all the critical components of the Solution namely the ForgeRock OpenIDM 4, MySQL Database were a Single Point of Failure. In an environment where business continuity is critical, we ought to build a solution that has no SPOF in the architecture. So I’m going to take you through that route today. Of course, this is a hint and just a way to understand the different options that you might consider in Configuring ForgeRock OpenIDM 4 for High Availability.

I’ve a rather simple example of HA configuration, mainly meant for understanding and learning it. In a sensitive infrastructure, a great deal of planning goes into building a Highly Available Environment. So what’s the small little setup we’ve here for learning:

ForgeRock OpenIDM 4 High Available Configuration

Two instances of ForgeRock OpenIDM 4 connects to a MySQL Proxy, which in turn talks to a MySQL Replication site. Of course, in this setup, MySQL Proxy is a SPOF, so you should have at least two of it in front of the MySQL Replication site. But if I had attempted to it, the whole thing would have looked a lot more complicated and would have failed the objective of being a learning tool. So if you’ve just under a half an hour to spare, you will know:

– How to use MySQL Proxy
– How to setup MySQL Replication (Master/Slave)
– How to install OpenIDM 4
– How to configure OpenIDM 4 to use a MySQL Database as its Repository
– How to bring up an OpenIDM Cluster environment

Well, the final state is what you get to see in the illustrations above.

Now on to the video. Enjoy!

ForgeRock OpenIG 4 As OpenAM Policy Enforcement Point

We know of it as a job usually done by the OpenAM Web/J2EE Policy Agent to enforce a Policy Decision sent by the Access Management Solution. To help you recollect, this is how it works:

– An End User tries to access a resource (say, a URL)
– The Web/J2EE Policy Agent deployed in the Container, intercepts the requests and redirects the request to Access Management Solution
– The Access Management Solution, first Authenticates the User, does a redirection to the the Resource (URL), where Agent would again receive it
– The Agent would now ask the Access Management Solution whether the Authenticated User has access to the Protected Resource (Authorization)
– Based on the policies defined in the Access Management Solution for the Protected Resource, it constructs a Decision and sends it back to the Agent
– Whatever the decision Agent receives from the Access Management (whether to ALLOW or DENY access to the Protected Resource), the Agent Enforces it!

The story in the video below is a bit different. In fact, the protagonist is different. The honours of Enforcing a Policy Decision sent by OpenAM is on ForgeRock OpenIG 4. As for the flow, it by and large remains what is mentioned above, just that the OpenIG uses its Route Configuration file to decide whether it should redirect the Client requests to OpenAM (should the SSO Cookie is absent in the request), ask OpenAM for Policy Decisions on Protected URLs by Authenticated Users and finally to enforce a Decision that is sent by OpenAM (whether to ALLOW or DENY access to Protected URLs).

Very roughly, here’s an illustration of the flow:
ForgeRock OpenIG 4 As ForgeRock OpenAM 13 Policy Enforcement Point

To see it in action, watch the screen-cast below. Enjoy!

Related Documentation:
ForgeRock OpenIG Documentation

Upgrade to ForgeRock OpenDJ 3.0

As you know, the newer version of ForgeRock Directory Services is out. Based on the ForgeRock OpenDJ 3.0 documentation, here’s my video log (~3 minutes) on the OpenDJ upgrade process, which could be considered a resource to learn and evaluate the OpenDJ upgrade process. Needless to emphasize, an activity as Upgrade of a Production on a Production environment requires detailed Analysis and Planning before execution.

Related Documentation and other Useful Links:
ForgeRock OpenDJ 3 Documentation – Upgrade
Ludo’s Sketches: What’s new in OpenDJ 3 – Part I
Ludo’s Sketches: What’s new in OpenDJ 3 – Part II
Ludo’s Sketches: What’s new in OpenDJ 3 – Part III

ForgeRock OpenIG 4 – Getting Credentials from ForgeRock OpenAM 13

Interested to see how ForgeRock Identity Gateway orchestrates with the ForgeRock Access Management solution to replay a User Credential on to a Legacy Application giving him/her access to it? There’s a screen-cast right below this write up. I had already posted a couple of entries on this space, demonstrating how OpenIG fetches User Credentials from different Datastores like a CSV file and a JDBC Database. While it’s not a prerequisite to know it before viewing the Video below, it might help get a good grip on the steps performed. So if you haven’t come across those blog entries yet, here it is:

ForgeRock OpenIG 4 – Getting Credentials from File Datastore
ForgeRock OpenIG 4 – Getting Credentials from Database

What to expect in the video?

– A user tries to access ‘’ url
– A Java EE OpenAM Policy Agent sitting in front of the ‘′ url intercepts the request from the client (user’s browser) and redirects the request to ForgeRock OpenAM (
– ForgeRock OpenAM will send the OpenAM Login Page back to the user
– The user supplies the credential, which the OpenAM verifies. If authentication is successful,OpenAM adds the username of the user and his/her encrypted password to the session and sends it to Java EE Policy Agent
– Java EE Policy agent validates the user’s session, gives control to OpenIG.
– Because the URL that the client requested for (, matches a specific route (say 04-route.json) configured in OpenIG, it applies the filters in the route configuration file. The first filter will use a shared key (also known to the OpenAM) to decrypt the encrypted password sent by OpenAM. The second filter will retrieve the username and password from the exchange and replaces your browser’s original HTTP GET request with an HTTP POST login request that contains the credentials to authenticate and the third filter will remove the username and password headers before continuing to process the exchange.
– The HTTP server validates the credentials and respond back to OpenIG with user’s profile page
– OpenIG sends that response to the End user

Note: OpenAM in our setup is configured to process a ‘Password Replay’ Java Class on successful authentication. The Java EE agent in OpenAM is configured only for Single Sign On (SSO) and is configured to add the UserToken (username) and sunIdentityUserPassword (password) as session attributes in HTTP header. And the FQHN of OpenAM deployment in the Video demonstration is ‘’ and not ‘’

To satisfy your Visual Cortex, here’s an illustration of the steps above:

OpenIG Fetching Credentials from OpenAM-Modified

Now on to the step by step configuration. Enjoy!

Related Documentation / Video:
– ForgeRock OpenIG Documentation
– Screncast on ‘ForgeRock OpenIG 3.x : Getting Credentials from OpenAM

ForgeRock OpenIG 4 – Getting Credentials From Database

To know how ForgeRock OpenIG 4 is configured to fetch User Credentials from a Database for User Authentication (a process transparent to the User), the following Video log might help. I had posted a similar video on this space earlier, but that then the User Credentials were fetched from a Flat File (CSV). The flow isn’t quite different from that, just that a Filter used by ForgeRock OpenIG in this case is different and that we should configure the OpenIG to connect to the DB.

In the video, we’ll:
– Install the H2 Database. Create ‘Users’ table and load User data in it
– Configure OpenIG (deployed in Jetty) to connect to the Database
– Prepare OpenIG Route Configuration file to fetch User Credentials (based on a Email address) and post the data to HTTP Server, who responds with the User profile page

For those whose right side of the brain is more prominent, here’s the visual representation of what is mentioned above:


For those who don’t want to think too much looking at the illustration below, but would like to sit back, relax and enjoy watching a show, here’s the video. Enjoy!

Related Documentation/Video
ForgeRock OpenIG Documentation
Screencast on using OpenIG 3.x to Connect to a JDBC Datastore

ForgeRock OpenIG 4 – Getting Credentials From File Datastore

If we’ve just moved ahead of ‘Getting Started with OpenIG 4‘, the following screen-cast might of some interest. In fact, this is a remake of a video that’s posted here, which was based on now older version of ForgeRock OpenIG.

So what’s in the video here? We’ve a CSV file with some User details. A user tries to access a URI, which hits OpenIG, who by using some Route Configuration files, looks up User Credentials from the CSV file and posts it to the HTTP Server, to get a User Profile Page (Post Authentication Landing Page) in return. So the Client, without having to go through the inconvenience of supplying his/her User Credentials, gets the Post Authentication Landing Page from the HTTP Server. See, if my attempt to capture the flow below makes sense.

ForgeRock OpenIG 4 - Getting Credentials from File Datastore

If that didn’t make your life easy, hopefully the demonstration in the video will. Enjoy!

Related Documentation/ Video:
ForgeRock OpenIG Documentation
ForgeRock OpenIG 3.x – Getting Credentials from File Datastore

Getting Started with ForgeRock OpenIG 4

If you haven’t gotten started with the newer version of ForgeRock OpenIG, the following Video might be of some help. I’ve done this before, but using now an older version of the Product. So if you are familiar with that, then this gives you an assurance that everything continues to work as before, and that there is more to it (that’s a story for another day though). So if you haven’t gotten your hands dirty with ForgeRock’s Identity Gateway solution, I invite you to have a look at it, and everything that you may need to get started with it, you will find it in the video below.

Very quickly, let me tell what’s done in the Screen-cast:

– Install Jetty
– Deploy ForgeRock OpenIG in Jetty
– Install Minimal HTTP Server
– Configure ForgeRock OpenIG to post user Credentials to the HTTP Server to return a User Profile Page (so the authentication process is transparent to the user.

Please note that the practice of hard-coding the User Credential is something that you’ll probably never see in a real world scenario, but of course the intent here is only to get a rough idea of what the OpenIG can do. The illustration below might give you a decent idea on the flow:


The video, I’m confident, will make it more clear.Enjoy!

Related Documentation/Video:
ForgeRock OpenIG Documentation
ForgeRock OpenIG (3.x) Installation and Configuration in a Linux Container

Setting Up Email and User Self Registration in ForgeRock OpenIDM 4

A few months back, I had published a post with a video demonstration on setting up Email in now older version of ForgeRock OpenIDM. If you haven’t seen it and would like to take a look at it, it’s here. Between now and then a lot of things changed, one of which is an improved UI in the recently released OpenIDM 4. If you’ve four minutes to spare, watch the video below to see how good a work has gone into the OpenIDM 4 UI improvement.


ForgeRock OpenIDM 4: Installing a Repository for Production (PostgreSQL))

ForgeRock OpenIDM 4 uses OrientDB as its default datastore, which is good for learning and evaluation, but not suitable for a Production environment. In an earlier post on this space, we looked at the Configuration of MySQL database as the repository for OpenIDM 4. Picking up from there, because a site that I know of uses PostgreSQL instead of MySQL, made a quick demonstration on setting up OpenIDM 4 with PostgreSQL.


Related ForgeRock Documentation:
Setting up OpenIDM with PostgreSQL

ForgeRock OpenIDM 4: Installing a Repository for Production (MySQL)

Think of this post as a remake of an earlier one done several months back. Well, just tha, the earlier blog post in reference here was based on a now older version of OpenIDM, ForgeRock‘s Identity Management Solution. As always, I’m grateful to the ForgeRock documentation team for a clean write up on the Configuration of MySQL as a repository for ForgeRock OpenIDM 4.

Related Video/Documentation:
Video – Setting Up ForgeRock OpenIDM with MySQL (OpenIDM 3.x)
Documentation – Setting up OpenIDM with MySQL

ForgeRock Authenticator (OATH) in ForgeRock OpenAM 13

If you’re in possession of a Smart Phone that runs either the Apple iOS or Android, you may probably be interested to know that the ForgeRock’s newer version of its Access Management solution now has an Authenticator App for you. Once installed and the device registered with ForgeRock OpenAM 13, one could use this Mobile App to generate One Time Password to validate his/her identity and thereby gain access to resources protected by the OpenAM. Needless to add, the ForgeRock Authenticator Mobile App is available on Apple iTunes Store for the iOS users and the Google Playstore for the Android fans.

Once installed, you’ll see on your phone something close to what is in the picture below:


Here’s what I did with my copy of ForgeRock Authenticator App on my iPhone:

– Configured an Authentication Chain ‘myAuthChain’ in my OpenAM 13 instance
– The said chain consisted of two Authentication Modules namely DataStore & ForgeRock Authenticator (OATH)
– When a subject authenticates against the ‘myAuthChain’ Authentication Chain in OpenAM, he/she is prompted for the DataStore credentials (an embedded OpenDJ instance), which on success is followed by another prompt where the user can register his/her device (using QR Code), generate an OTP that can be used to gain access to the resources protected by OpenAM.


If you are interested to see all of this in action, please spare five minutes to watch the video below.


Related documents/videos:
ForgeRock Documentation
Smart Security Using Phone App Demo

SAML2 as ForgeRock OpenAM 13 Authentication Module Instance

Well, you’ve possibly heard about the release of newer version of the ForgeRock Identity Platform with several enhanced capabilities. If not, you can read about it all here. One of the new features in the Access Management component of ForgeRock Identity Platform is SAML2 Authentication Module. What that offers is, after configuring Federation, we could supply all the required details like the IDP entity, the binding method etc. in an Authentication Module instance of the ForgeRock Access Management solution and use it just like any other Authentication Module (LDAP, Database, HOTP etc.). Let’s see how that’s done in a video demonstration that follows this write up. And, by the way, if you’d like to get a quick idea what’s new in the newer version of ForgeRock Access Management solution, read the release notes here.

We’ve already discussed OpenAM Federation on this space before. Here’s list of links from the past:

ForgeRock OpenAM Federation Using SAML v2
Using SAML Assertion Attributes in ForgeRock OpenAM

While the following video walks through the OpenAM Federation Configuration from the scratch, if you feel there are details missing in it, please feel free to have a look at the web logs mentioned above. The main focus of the screen-cast below is only to see how SAML2 is used as an Authentication Module instance in the version 13 of ForgeRock OpenAM.

The following illustration might give a quick idea on what’s demonstrated in the video embedded below this post.

Now on to the screen-cast. Enjoy!

New Year Wishes – Year 2016

When the clock hands sweep two more rounds, our life takes a turn, or at least that’s what some of us believe. Not this year alone, but for several years that have gone by, many of us perhaps anticipated a complete make over once every dozen months. Three weeks into changing our calendars, a good number of us tore apart a list of life changing activities , quite seriously drafted over a New Year Eve, on every New Year Eve maybe,  one that’s not too different from what we may have in possession today. Agreed, all of it is past and is way behind us, but with a fresh start in place we might be brimming with confidence, backed up by an unprecedented optimism to run through a brand new set of resolutions that’ll keep our waistline in check, maintain a steady spend pattern, polish CV with new impressive skill sets, and last but not the least, strike a balance in life. May it be so!

A research says that a goal set on Monday or similar “temporal landmarks” is pursued more seriously than otherwise. While I don’t know of a data that talks the same way of a goal set on a New Year, I wish you achieve all of that you’ve in your mind in the year to come. Personally, I continue to believe that to gain something in life, we ought to set a goal, develop strong will, work hard, maintain enthusiasm, persevere and be grateful. For that, we can take a call ‘Here and Now’, not necessarily only on a New Year Eve.  Well, that makes my New Year look Black & White, devoid of any thrilling action. But when the world is taking a pause to reflect on the glory days of life in the past twelve months, laugh away the mistakes made, overcome the pain of losses, and look forward to offer a warm welcome to a New Year, let me stop by you to say , “Thank you”, for whatever role you played in my life, not just in the year that’s passing by, but for ever and a day, in making me what I’m today or putting me where I stand.

If we have known each other for some years now, you know well of my ritual to reach over to you on this very occasion, largely to let you know that you are in my thoughts, strong as ever before, and that I stay grateful to you for being there for me. I’ve always held my faith onto the invisible architect, who I believe, carefully constructs moments after moments in our life, even that of connecting us through Channels that, at times, appear so very strange. It’s foolish not to say “Thank God” in a note that has gratefulness painted all over it.

And if life is made up of many moments, why not spend some of it on the last day of this year in Fun and Celebration. Like you, I hardly fancy a New Year sans difficult events. All the same, I hope we can all pump in enough positivity to as much of moments as we can in the coming year for a flourishing life. So before you get busy with the fireworks tonight, here’s wishing you, your friends & family, from the bottom of my heart, a Happy, Healthy and Prosperous Year 2016.

Configuring Roles in ForgeRock OpenIDM 4

Merry Christmas!

For those interested to know how to configure Roles in ForgeRock OpenIDM, here’s my Christmas gift. A video at the end of this post will walk you through the installation of both ForgeRock OpenIDM and ForgeRock OpenDJ, configure the latter as an external resource in OpenIDM, performing reconciliation to bring in users from OpenDJ to OpenIDM. That’s not it, because all of that I’ve shown you earlier as well. Then, what’s more? Here it is:

So we go on and create Roles in OpenIDM, which has Managed Assignments that in turn has Attributes associated with an external resource (ForgeRock OpenDJ). So when a Role is assigned to a user in OpenIDM, based on the value of Attribute that is attached to the Role, the user will be subscribed to a group in the OpenDJ. If it sounds confusing,please don’t waste time reading it again, instead watch the video below, it’ll all be crystal clear.


Installation of ForgeRock OpenIDM 4 and Configuration of ForgeRock OpenDJ as its External Resource

It’s not for no reason that I picked up ‘Whistling Down the Road’ by Silent Partner (Courtesy: Google YouTube Audio Library) as the audio background for the screen-cast embedded on this blog post. The installation of ForgeRock OpenIDM 4 is one such experience, as in like just whistling away down the road! See it to believe it and don’t forget to try it.

I’ve done a similar screen-cast before, but that’s using OpenIDM 3.x. Be wary of the fact that the software used in this screen-cast is not yet read for Production. But now that the ForgeRock Management have given us this clue on the road ahead for the ForgeRock Products, it makes sense to start exploring it (if not already done).

So in the video below, you’ll see the lightning fast installation of both OpenIDM and OpenDJ and configuration of OpenDJ as an External Resource for OpenIDM.


Using SAML Assertion Attributes in ForgeRock OpenAM – Concluding Episode: Using SAML Assertion Attributes

You’ve reached the concluding episode of a four part video made on using SAML v2 Assertion attributes in an application protected by ForgeRock OpenAM. I don’t need to mention that this being the last one in the lot, it may seem pointless to read/view this entry independently without going through the entries below, preferably in the exact same order as is listed:

1. Protecting a J2EE Application with ForgeRock OpenAM
2. Configuring Federation in ForgeRock OpenAM
3. Configuring Transient Federation in ForgeRock OpenAM
4. Using SAMLv2 Assertion Attributes

We can safely say that the diagram below is the end state of our demonstration:


So what we’ve in there is a client attempting to access the protected J2EE Application, which is intercepted by the OpenAM Policy Agent, who in turn redirects the request to an IDP initiated SSO URL, resulting in a Login page to the end user from IDP. The IDP would then validate the credentials supplied by the end user, and if found authentic, sends an assertion to the SP with the user attributes (like mail, telephonenumber) specified in the Federation Configuration. Because it uses Transient Federation, the user will not have a profile in SP, still the attributes in the Assertion is available in the user’s session to be used by the Agent to pass on to the application. It may have sounded complicated, but I’m confident that the concluding episode of a rather lengthy screen-cast can help you figure it all.

I want to take a moment to Thank you! to have spent time reading/viewing my web logs on ‘Using SAML Assertion Attributes’ and sincerely hope it was useful.


Using SAML Assertion Attributes in ForgeRock OpenAM – Episode 03/04 : Configuring Transient Federation in ForgeRock OpenAM

This is the third episode from a four part video made on using SAML v2 Assertion attributes in an application protected by ForgeRock OpenAM. In the interest of continuity and also to get the context accurately, it may make sense to read/view the blog posts in the following order:

1. Protecting a J2EE Application with ForgeRock OpenAM
2. Configuring Federation in ForgeRock OpenAM
3. Configuring Transient Federation in ForgeRock OpenAM
4. Using SAMLv2 Assertion Attributes

Let me throw a picture at you:


The diagram is a slightly modified version of the one that you would have seen in my earlier blog entry. It has one additional user in the Identity Provider (which of course seems like a world famous detective and that’s no coincidence), but no corresponding entry in the Service Provider. In the Identity Federation Configuration earlier, we saw how a user with an id ‘demo’ in the Identity Provider linked her account with her id in the Service Provider. But there can be situations, when we may want to use Federation with identities only at the IDP, still gaining access to the applications protected by the SP. That’s where Transient Federation comes into play. It maps the identities from IDP to an anonymous user in the SP (many to one mapping).


Using SAML Assertion Attributes in ForgeRock OpenAM – Episode 02/04 : Configuring SAML 2.0 Federation in ForgeRock OpenAM

This is the second entry from a series of four blog entries made around using SAML v2 Assertion attributes in an application protected by ForgeRock OpenAM. Reading/viewing this as an independent entry may not be a futile exercise, but it may seem more effective if the following order is followed while going through this topic:

1. Protecting a J2EE Application with ForgeRock OpenAM
2. Configuring Federation in ForgeRock OpenAM
3. Configuring Transient Federation in ForgeRock OpenAM
4. Using SAMLv2 Assertion Attributes

At end of this episode, the following is what you get:


So the diagram above shows a Circle of Trust established between two entities (an Identity Provider and a Service Provider), each of which is an OpenAM instance running in two different Linux Containers. In this scenario, a user (with id ‘demo’) has profile in both IDP and SP, and by virtue of Identity Federation, she manages to link those accounts, after which once she authenticates against the IDP, IDP can send a assertion to SP, validating the authenticity of the user.


Using SAML Assertion Attributes in ForgeRock OpenAM – Episode 01/04 : Protecting a J2EE Application with ForgeRock OpenAM

This is first of four blog entries that aims at demonstrating how to use SAML Assertion Attributes in an Application protected by ForgeRock OpenAM. For the convenience of viewing, a thirty five odd minutes screen-cast has been split into four sections, the first of which is embedded on this blog post. While each entry talks of an independent facility in ForgeRock OpenAM, it makes sense to read/view them in the following order:

1. Protecting a J2EE Application with ForgeRock OpenAM
2. Configuring Federation in ForgeRock OpenAM
3. Configuring Transient Federation in ForgeRock OpenAM
4. Using SAMLv2 Assertion Attributes


As you can possibly make out from the illustration above, there are three Linux Containers being used in our demonstration, two of which runs an OpenAM instance each. A third Linux Container is used for installing a J2EE Application. The illustration captures the end state of this segment, where a J2EE Application is protected by an OpenAM J2EE Agent, making sure all client requests to it are intercepted by the Agent and redirected to the OpenAM for Authentication/Authorization.


Distributed Authentication in ForgeRock OpenAM

Let me start with a word of caution. I made a screen-cast to demonstrate the Distributed Authentication in ForgeRock OpenAM and you’ll find the same embedded on this post. Some of my actions in there are questionable and should never be attempted even in a development environment, such as setting a URL in the OpenAM Administration Console to redirect to after a Successful Authentication. This video demonstration is solely intended to give a hint on the positioning of Distributed Authentication UI in OpenAM Deployment Topology, but several other things like Network/Firewall configuration, Post Authentication Processing that goes hand in hand with the Distributed Authentication in OpenAM was beyond the scope of this short screen-cast. I really hope you get an idea on what the Distributed Authentication in OpenAM is expected to achieve.

The following illustration might give you an idea on what’s demonstrated in the video. We have a client network who cannot (or who is not supposed to) access the OpenAM Server in a different Network directly (say for Security reasons). So in a Demilitarized Zone (DMZ) or Perimeter Network, we have a Server that offers a Distributed Authentication UI to the clients from the ‘untrusted network’. That way, the clients get to see the UI of OpenAM by access the Server in DMZ, who would in turn talk to the OpenAM Server through a trusted channel. As one can imagine, Network Configuration like Firewall plays an important role in a deployment scenario, but sadly that’s all beyond the scope in our mini demonstration.

So if you have ~10 minutes to spare, watch it


Thanks: ForgeRock Documentation on OpenAM

MySQL Database as Identity Repository for ForgeRock OpenAM

ForgeRock OpenAM has three types of repositories:

(i) Configuration Repository that stores the OpenAM configuration data (ForgeRock OpenDJ)
(ii) Authentication Repository that’s used by OpenAM to Perform User Authentication (has more than 20 options out of the box)
(iii) Identity Repository that stores the User Profiles (has several options like LDAP v3, OpenDJ, AD, IBM’s Directory Server and Database [Eary Access])

Someone asked me the details on configuring a Database as the Identity Repository for ForgeRock OpenAM, so as soon as I got a chance, created the following screen-cast to demonstrate the use of MySQL Database as an Identity Repository for ForgeRock OpenAM. It’s fairly straightforward.


ForgeRock OpenAM Deployment Training in Bangalore, India

Just yesterday, I concluded a five day ForgeRock University training program on ForgeRock OpenAM at Bangalore. I wish to express my sincere gratitude to each one in the picture below for showing up for a ForgeRock University course on our Access Management solution and wish them success in their ForgeRock Projects.

To know what we discussed during the training or to subscribe for one such program, all details are here.

If you aren’t looking for a detailed program on our Products as the one you find in the link above, we do offer half a day free (as in beer) overview session on both ForgeRock OpenAM and ForgeRock OpenIDM, the details of which are below (keep checking the links below for the next occurrence):

ForgeRock OpenAM Product Overview
ForgeRock OpenIDM Product Overview

Lastly, if you are keen to validate/demonstrate your skills in ForgeRock OpenAM, check out ForgeRock Certified OpenAM Specialist Exam.

Again, to all my friends who dropped by for the OpenAM training, thanks for all the fun and learning.


ForgeRock OpenAM and Social Authentication (Facebook) using OAuth2

The video demonstration embedded below this write-up is dangerously similar to the video here , published more than three months ago. I’ve had challenges making this one though, which is when my colleagues Jon Knight and Albert Ayoub stepped forward to lend a helping hand. So if you ready, let’s see how ForgeRock OpenAM lets a user authenticate against his/her Facebook account to gain access to OpenAM (read applications protected by OpenAM).


There is a very useful article around this right here.

ForgeRock OpenAM Federation Using SAML v2

If you experience Deja Vu by looking at the illustration just below, chances are that you’ve hit my blogs before, in particular on this entry, where we looked at ForgeRock OpenAM as an Identity Provider and ForgeRock OpenIG as a Service Provider.

A friend asked me if I could demonstrate a very simple configuration of Federation using two ForgeRock OpenAM instances, one acting as an Identity Provider (a.k.a IDP) and another one taking up the role of a Service Provider (a.k.a SP). It wasn’t difficult to do one, so here we have it embedded towards the end of this post.


So what do we have here:

– A Circle of Trust which has two OpenAM instances, one of which acting as an Identity Provider and another one as Service Provider
– User always authenticates against the Identity Provider
– The authentication process is intiated either by the IDP (known as IDP initiated SSO) or by the SP (SP initiated SSO)
– Once the user is authenticated successfully, IDP sends across a piece of security information to the SP (known as assertion) that could contain user attributes
– SP then gives the user access to protected resources

In the demonstration that follows, because ‘Auto Federation’ is not enabled, during the first login the user will be prompted for credentials both by the IDP and the SP. Once the account linking is done, it’s only the IDP who would challenge the user.

If the illustration and the briefing above hasn’t given you the complete picture, the video below might give a better one.


Managing Account Status Notification in ForgeRock OpenDJ

In a couple of blog posts published in the recent past, One on ForgeRock OpenAM and another on ForgeRock OpenIDM, we had a look at configuring E-mail Services in the aforesaid Products. And it’ll be grossly unfair, if we don’t touch upon the same topic in ForgeRock’s Directory Services solution: OpenDJ

Thanks to the following articles/documents:

ForgeRock Documentation on Managing Account Status Notification in OpenDJ
Mark Craig’s blog
Ludo’s Sketches

Thanks, also to the authors of following contents for helping with the SMTP Server Configuration:

Ubuntu Forum Thread
ArchLinux Forum Thread
DigitalOcean Tutorial

And now on to my ~15 minute long video log on Managing Account Status and Notification in OpenDJ.


Sending Emails from ForgeRock OpenIDM

No one wants to stay logged in on to the User Interface of a Provisioning Tool, waiting for the approval requests to flood into their queue in order to take an appropriate action. We have other things to do in life and for matters that require our attention we all expect notifications, don’t we? Without doubt, one very common and an easy channel for notification is Email, which some consider to be the first and the last killer app of the Internet. Just like many other configurations, setting up Outbound Email in ForgeRock OpenIDM is a walk in the park. If you have just over 5 minutes to spare, watch how it’s done in the video below:


Deeply indebted to this section of the ForgeRock Documentation on OpenIDM.

ForgeRock OpenIG as SAML 2.0 Service Provider

This post is based on the ForgeRock Documentation on configuring OpenIG as SAML 2.0 Service Provider. The video logs embedded just below this write up is a visual representation of what is already there in the document that I mentioned above. For a detailed study, please read through the documentation and then sit back, relax and watch the demonstration in the screen-cast below

SAML 2.0 as you probably know is a standard to exchange information between a SAML authority (a Identity Provider a.k.a IDP) and a SAML Consumer (a Service Provider a.k.a SP). In the demonstration that follows ForgeRock OpenAM acts as an Identity Provider and ForgeRock OpenIG acts as a Service Provider. So the authentication of a user is done by the IDP, who will then send a piece of information (Assertion) to the SP that could contain the attributes of user from the user’s profile in the IDP DataStore. SP will then use the information thus obtained (Assertion) to take further action (like giving access to the user etc.)

There are two ways of getting this done:
(i) SP initiated SSO
(ii) IDP initiated SSO

In simple words, in a SP initiated SSO, the user contacts the Service Provider, who in turns gets in touch with the Identity Provider, who would validate the user credentials and then exchange a piece of information (Assertion) that could contain the user attributes to the Service Provider. Whereas a IDP initiated SSO, the IDP will authenticate the user, and would then send an unsolicited message (Assertion) to the SP, who would then take further action (like giving access to the user etc.)

The following two illustrations might give a rough idea:


In our story (above in the illustration and below in the video), a user authenticates against ForgeRock OpenAM (IDP), who will send then an assertion (containing user’s mail and employeenumber attribute) to ForgeRock OpenIG (Service Provider), who will apply filters (like extracting the attributes from assertion and posting it as username and password) to post the user’s credentials to a protected application (Minimal HTTP Server)

If you’ve got a vague picture on what’s discussed above, I’d believe it’ll be clearer after watching the video below:


User Self Registration in ForgeRock OpenAM Concluding Part – Using REST

In an earlier post, we saw User Self Registration in ForgeRock OpenAM using XUI. It’s likely that you may not want to use the UI that comes with OpenAM, but may have reasons to build your own UI/Application on the REST API to operate on ForgeRock’s Access Management Solution. Keeping that in mind, a discussion on User Self Registration in OpenAM is incomplete without showing you how it is done using REST. Like many other examples you may already be familiar with around REST calls to ForgeRock products, you’ll see the usage of simple, yet powerful ‘curl’ to invoke REST calls to OpenAM for Self Registering a User. Here’s a list of related video blogs that you may want to watch before watching the one that’s embedded below.

User Self Registration in ForgeRock OpenAM Part I – Using XUI
E-mail Service Configuration in ForgeRock OpenAM

If you are ready, let’s go:

User Self Registration in ForgeRock OpenAM Part I – Using XUI

ForgeRock OpenAM is not meant for User Provisioning. Consider, ForgeRock OpenIDM for the same. Still, OpenAM does offer a facility for User Self Registration. In this segment, let’s have a look at how it’s done using the User Interface of OpenAM (XUI). As you can guess, it’s not a difficult task at all. Have a look.

Before I forget, the E-mail Service needs to be configured in OpenAM for the User Self Registration to work, so if you don’t know how that’s done, we have another video here.


E-mail Service Configuration in ForgeRock OpenAM

In a less than 2 minute video that follows, you’ll see me setting up E-mail service in ForgeRock OpenAM, a facility that is used by OpenAM features such User Self Registration. Because I know for certain I’ll have to refer to this video on a number of occasions in future while demonstrating other capabilities of OpenAM, I’ve decided to keep this video tutorial separate and independent. It’s tiny, of course:


ForgeRock OpenDJ Password Policy Part II – Subentry Based Password Policy

This post picks up from where we left last time and takes the next step to demonstrate Subentry Based Password Policy in ForgeRock OpenDJ. I owe a great detail of gratitude to the ForgeRock documentation team for this neat write up on OpenDJ Password Policy as well to Ludovic Poitou for his blog post. So in under 5 minutes time, we take our discussion on OpenDJ Password Policy to conclusion.


ForgeRock OpenDJ Password Policy Part I – Server Based Password Policy

Someone asked me if I could do a video on ForgeRock OpenDJ Password Policy. Though it took me a while to get over my laziness to do one, finally I’ve the first of two part video that demonstrates the Password Policy in OpenDJ. In the first part that’s embedded below, we get to know about the System based Password Policy in OpenDJ and how to make changes to it. OpenDJ installation is covered very quickly, so if you aren’t too comfortable with the OpenDJ installation or the basic LDAP commands for that matter, I humbly suggest you take a quick look here first.


Still on DSEE? Try ForgeRock OpenDJ

This post in inspired by Ludovic Poitou’s reply to a thread in the ForgeRock OpenDJ Forum around DSEE to ForgeRock OpenDJ migration. Consider this to be just a hint, and not an answer. In a video log that’s embedded just below this write up, you’ll see some clues on a couple of different methods that you could consider to move away from a product that’s now in sustaining stage to ForgeRock’s Directory Services Solution. I don’t need to mention here how important a task it is to carefully draft a plan for migration from one product to another, and I’m sure you’ll not take this video log as the only reference while doing so.

So if you’ve half an hour to spare, you’ll see in the video:
Act 1:
– A ‘Flash Back’ on DSEE installation and configuration
– Exporting the data from the DSEE instance
– Installation & Configuration of ForgeRock OpenDJ
– Importing the DSEE instance backup to ForgeRock OpenDJ
Act 2:
– Installation of ForgeRock OpenIDM
– Configuration of External LDAP Server (DSEE instance) as a Managed Resource in ForgeRock OpenIDM (using samples)
– Configuration of OpenDJ instance as a Managed Resource in ForgeRock OpenIDM (using the UI)
– Reconciliation between the DSEE instance (source) and OpenDJ instance (target)


Certification in ForgeRock OpenIDM – Concluding Episode

This blog entry picks up from my earlier blog post around Certification facility in ForgeRock OpenIDM. Like many of my other video demonstration, this one also is based on the neat ForgeRock documentation on OpenIDM. So without any further ado, let me present unto you my video log on Certification in ForgeRock OpenIDM.


Certification in ForgeRock OpenIDM Episode I: Initial Reconciliation

If this was a book, what we have here is a prologue. Just as you don’t expect the prologue to throw a full story at you, so does this web log unveil absolutely no details around Certification in ForgeRock OpenIDM. What it does though is to setup a ‘plot’ for a possible video demonstration on Certification facility in ForgeRock’s Identity Management Solution. And that’s coming soon…

So in the video log, that’s actually a visual representation of the brilliant ForgeRock Documentation on OpenIDM, you’ll see:
– Installation of ForgeRock OpenDJ
– Configuration of OpenDJ as an external resource managed by OpenIDM (using sample files)
– Performing the initial reconciliation using REST to load users from OpenDJ to OpenIDM

Soon we’ll put all those users in action for Certification in OpenIDM. For now, just as you’d skim through the prologue of a book, take a quick look at the ~5 minute video

Baby Step in DTrace on ForgeRock OpenDJ

I’m a big fan of Brendan Gregg. The DTrace Book that he co-authored with Jim Mauro stands one of the best I’ve read in Computer Science. While I continue to take my baby steps in DTrace, I thought I’d share with you my video log on attempting to explore ForgeRock OpenDJ using the pid provider in DTrace. Brendan Gregg has published a number of blogs around the pid provider, all of which is accessible from his consolidated blog entry here. OTN has very generously published one chapter from the DTrace Book that talks of using DTrace on Applications, in which the pid provider and its use is detailed.

And with the source code of all ForgeRock Products accessible to the public for study, DTrace might just be the tool that you may want to get your hands on for some fun.


Provisioning Users to PostgreSQL Database Table Using ForgeRock OpenIDM

This one is rather uncomplicated. ForgeRock OpenIDM does provisioning well, be it to a Directory Server, a Database or even to several other external resources. The following video log demonstrates exactly that. You’ll see:

– Super quick installation of ForgeRock OpenIDM
– Installation of PostgreSQL database, creation of user with super user role in PostgreSQL, creation of a database and finally creation of a table
– Configure the OpenIDM Database connector to connect to the PostgreSQL database table created in the above mentioned step
– And finally see how the users from OpenIDM are provisioned on to the PostgreSQL database table

It’s all very simple and easy to understand. So enjoy!

ForgeRock OpenAM Multi Factor Authentication Using Adaptive Risk Authentication Module & OTP

In this episode, you’ll see ForgeRock OpenAM’s two factor authentication feature employing it’s Adaptive Risk Authentication Module instance and HOTP module instance

So in the video demonstration that follows this post, you’ll see a user attempting to login against an Authentication Chain (say ‘MyAuthChain’) which has three module instances namely (i) Data Store, (ii) Adaptive Risk and (iii) HOTP. If the user is able to supply the right credentials against the Data Store, he or she is allowed in without any further challenge. On the other hand, if the the attempt to authenticate against the first Module instance (Data Store) fails, then the user is prompted for additional credentials like One Time Password.

The following illustration might give a rough idea on the what’s discussed above and the video that follows might make it pretty clear.



ForgeRock OpenIG as OAuth 2.0 Resource Server

First things first, screen-cast that follows this write up is based on the ForgeRock documentation on OpenIG that’s found here. Secondly, if you aren’t familiar with ForgeRock OpenIG or ForgeRock OpenAM, I’d recommend you to do some reading on the products from the official ForgeRock documentation or watch the following screen-casts on it to become familiarized with it:

ForgeRock OpenIG
ForgeRock OpenIG Installation
ForgeRock OpenIG: Getting Credentials from a File Data Store
ForgeRock OpenIG: Getting Credentials from a JDBC Data Store
ForgeRock OpenIG: Getting Credentials from ForgeRock OpenAM

ForgeRock OpenAM
ForgeRock OpenAM Installation & Configuration
Creating Realm in OpenAM and Setting Up OpenDJ as a Data Store
ForgeRock OpenAM Authentication With Google Account Using OAuth2
ForgeRock OpenAM High Availability Deployment
Configuring Database as OpenAM Log Type
ForgeRock OpenAM 12: Switching from XUI to Legacy UI
Adding User Profile Attribute in ForgeRock OpenAM

Cut to present, we have OpenIG acting as a resource server. So in the video log, you’ll see the curl command being used to contact OpenAM to get an Access Token, use the same command to contact OpenIG with the Access Token, which is when OpenIG (acting as a resource server), will contact OpenAM (acting as an authorization server) for validating the token. Once validated, OpenIG will apply additional filters to post the credentials to a HTTP Server and get the user profile in response to it. A one-liner definition for the mouthful of jargon I used above can be found here. The illustration below might make the long story said above slightly shorter.


Now to the real action:

ForgeRock OpenIDM User Provisioning Workflow

ForgeRock OpenIDM, very simply put, manages the identity, not necessarily of users all the time. In a short video demonstration that follows, I’ve taken efforts to show you a very simple user provisioning workflow in OpenIDM. When an employee in an organization initiates an onboard contract, the workflow is launched and the request reaches a manager, who then pickups the request and approves (or reject) it. Consequently, the new user’s identity is provisioned on a resource.

This video demonstration owes heavily to this section of ForgeRock documentation.

What’s in the video is a simple exercise and I strongly encourage anyone interested in ForgeRock’s Identity Management solution to try it and see. Well, if you say you aren’t familiar with the OpenIDM installation, that isn’t difficult either, you can watch it here.


Adding User Profile Attribute in ForgeRock OpenAM

In my earlier blog post titled Extending the ForgeRock OpenDJ Schema there was an embedded screen-cast that demonstrated how a new attribute could be added to the user profile in OpenDJ. We take one step further in this section to modify at Service in ForgeRock OpenAM to display that attribute in OpenAM Console. So if you’ve watched or if you know how to extend the OpenDJ schema to add a new user attribute, the following video log will tell you what you need to do on OpenAM to display it in the console.


Extending the ForgeRock OpenDJ Schema

I had made a promise in my earlier post. This one is intended to fulfill it. One of the common requirements of any Directory Services solution is to extend the attributes that it supports. In the following video log that has a running time of just over a dozen minutes, you’ll see how to add a new attribute to the OpenDJ instance.


Accessing ForgeRock OpenDJ Administration GUI (OpenDJ Control Panel) from a Ubuntu Linux Container

You will find an entry on my blogs that talked about the installation of Linux Container and further demonstrated ForgeRock OpenDJ installation and configuration in it. In the last several days, though I posted some contents on OpenDJ, I never introduced my kind readers to the Administration GUI that the OpenDJ product comes with. That was mainly because I was struggling to get the GUI from a Linux Container. This morning I was determined more than ever before to get over this roadblock, and, boy, did manage to figure out, perhaps, one among the many ways of doing it. In the following screen-cast, you’ll see me installing VNC Server on my Linux Container (Ubuntu 14.04.2 LTS) that has OpenDJ in it and then use a VNC client from the Host OS (Ubuntu 14.10) to access the OpenDJ Control Panel, a very convenient tool to browse the OpenDJ Directory data. Very soon, you’ll see me using OpenDJ control panel for a serious reason. Thank you for your patience.

ForgeRock OpenAM 12: Switching from XUI to Legacy UI

It’s a weekend, so I don’t seem to have the mental bandwidth for a heavy duty demonstration on ForgeRock products. I’ve a very short video log that has a running time of just over a minute and half to show you how, if required, you can switch from ForgeRock OpenAM 12 XUI (default interface) to OpenAM Legacy UI.