– All urls that hit OpenIG, containing a string ‘openam’ getting redirected to OpenAM URL
– All urls that hit OpenIG, that does not contain the string ‘openam’ getting redirected to:
OpenAM for Authentication if there is no valid User session and then on to OpenIDM UI
2. OpenIDM UI if there is a valid User sessionOpenIDM UI
ForgeRock Identity Management solution includes generic Groovy Connector Toolkit that enables you to run Groovy scripts on any external resource. You can read more about it here. Lifted verbatim from the OpenIDM 4 documentation mentioned above:”To facilitate creating your own scripted connectors with the Groovy Connector Toolkit, OpenIDM provides a scripted connector bundler. ” I followed Instructions in there (as well as in the README file of the ‘sample3’ in OpenIDM installation directory), to build a ScriptedSQL Connector to connect OpenIDM to a MySQL Database and my Video Log is below:
If you’re in a hurry to know what each of the ForgeRock Identity Platform Components is meant to do, try the Full Stack Configuration. In just over fifteen minutes, you’ll see:
– Installation of ForgeRock OpenDJ
– Deployment of ForgeRock OpenAM
– Configuration of OpenDJ as an Identity Repository in ForgeRock OpenAM
– Installation of ForgeRock OpenIDM
– Configuring OpenDJ as External Resource in OpenIDM
– Running a reconciliation in OpenIDM from OpenDJ
– Provisioning a User from OpenIDM to OpenDJ
– Using OpenAM as the Authentication Module for OpenIDM
With a much awaited weekend around the corner, I couldn’t really get over the laziness to create a better illustration than the one below to help visualize what’s mentioned above.
The video embedded below is quite straight forward. It demonstrates how to configure Database Table Connector in ForgeRock OpenIDM 4 to connect to provision/deprovision Users in a Database Table (MySQL):
We have already discussed on this space the installation of ForgeRock Identity Management Solution and further configuring a Database as its repository. But in those discussions, all the critical components of the Solution namely the ForgeRock OpenIDM 4, MySQL Database were a Single Point of Failure. In an environment where business continuity is critical, we ought to build a solution that has no SPOF in the architecture. So I’m going to take you through that route today. Of course, this is a hint and just a way to understand the different options that you might consider in Configuring ForgeRock OpenIDM 4 for High Availability.
I’ve a rather simple example of HA configuration, mainly meant for understanding and learning it. In a sensitive infrastructure, a great deal of planning goes into building a Highly Available Environment. So what’s the small little setup we’ve here for learning:
Two instances of ForgeRock OpenIDM 4 connects to a MySQL Proxy, which in turn talks to a MySQL Replication site. Of course, in this setup, MySQL Proxy is a SPOF, so you should have at least two of it in front of the MySQL Replication site. But if I had attempted to it, the whole thing would have looked a lot more complicated and would have failed the objective of being a learning tool. So if you’ve just under a half an hour to spare, you will know:
– How to use MySQL Proxy
– How to setup MySQL Replication (Master/Slave)
– How to install OpenIDM 4
– How to configure OpenIDM 4 to use a MySQL Database as its Repository
– How to bring up an OpenIDM Cluster environment
Well, the final state is what you get to see in the illustrations above.
A few months back, I had published a post with a video demonstration on setting up Email in now older version of ForgeRock OpenIDM. If you haven’t seen it and would like to take a look at it, it’s here. Between now and then a lot of things changed, one of which is an improved UI in the recently released OpenIDM 4. If you’ve four minutes to spare, watch the video below to see how good a work has gone into the OpenIDM 4 UI improvement.
ForgeRock OpenIDM 4 uses OrientDB as its default datastore, which is good for learning and evaluation, but not suitable for a Production environment. In an earlier post on this space, we looked at the Configuration of MySQL database as the repository for OpenIDM 4. Picking up from there, because a site that I know of uses PostgreSQL instead of MySQL, made a quick demonstration on setting up OpenIDM 4 with PostgreSQL.
Think of this post as a remake of an earlier one done several months back. Well, just tha, the earlier blog post in reference here was based on a now older version of OpenIDM, ForgeRock‘s Identity Management Solution. As always, I’m grateful to the ForgeRock documentation team for a clean write up on the Configuration of MySQL as a repository for ForgeRock OpenIDM 4.
ForgeRock OpenIDM, the Identity Management solution from ForgeRock offers nice and easy way to perform most of the common scenarios one can think of in the Identity Management domain. Once such commonly occurring situations is to link an account of a User in IDM with his/her Multiple accounts in a resource such as LDAP Server like ForgeRock OpenDJ. Let’s try to understand how that’s achieved in OpenIDM using the illustration below:
As you can make out, OpenIDM is connected to an OpenDJ instance. You could also see two OpenIDM Roles defined namely ‘Agent’ and ‘Insurer’. Each of the Role is attached to a Managed Assignment. And the Managed Assignment in turn has Attributes and Link Qualifiers. The Attribute refers to a User Attribute in OpenDJ with a corresponding value (say cn=Chat Users, ou=Groups,dc=example,dc=com) and Link Qualifier is used to construct a DN (say uid=bjensen,ou=Customers,dc=example,dc=com).
So a Role that has the Managed Assignments with the said Attributes and Link Qualifier would (i) be a member of ‘cn=Chat Users, ou=Groups,dc=example,dc=com‘ and will belong to a branch that’s determined by the DN uid=bjensen,ou=Customers,dc=example,dc=com. Clearly, multiple OpenIDM Role assignments to a single OpenIDM User will link that User’s account with multiple DNs in the OpenDJ instance. Please note that the LDAP group is omitted from the illustration above for brevity. The following equation might give us a rough translation of the above statements:
OpenIDM User (bjensen) <---- OpenIDM Role (Insurer) <---- Managed Assignment (cn=Chat Users,ou=Groups,dc=example,dc=com Attribute && dn: uid=?,ou=Customers,dc=example,dc=comLink Qualifier) ===> bjensen user in the ou=Customers branch of OpenDJ instance DIT (uid=bjensen, ou=Customers,dc=example,dc=com) and the user’s subscription to a LDAP Group cn=Chat Users, ou=Groups,dc=example,dc=com)
Not clear? Have a screen-cast for you. Please take a look and see if it gives you a clearer picture.
For those interested to know how to configure Roles in ForgeRock OpenIDM, here’s my Christmas gift. A video at the end of this post will walk you through the installation of both ForgeRock OpenIDM and ForgeRock OpenDJ, configure the latter as an external resource in OpenIDM, performing reconciliation to bring in users from OpenDJ to OpenIDM. That’s not it, because all of that I’ve shown you earlier as well. Then, what’s more? Here it is:
So we go on and create Roles in OpenIDM, which has Managed Assignments that in turn has Attributes associated with an external resource (ForgeRock OpenDJ). So when a Role is assigned to a user in OpenIDM, based on the value of Attribute that is attached to the Role, the user will be subscribed to a group in the OpenDJ. If it sounds confusing,please don’t waste time reading it again, instead watch the video below, it’ll all be crystal clear.
It’s not for no reason that I picked up ‘Whistling Down the Road’ by Silent Partner (Courtesy: Google YouTube Audio Library) as the audio background for the screen-cast embedded on this blog post. The installation of ForgeRock OpenIDM 4 is one such experience, as in like just whistling away down the road! See it to believe it and don’t forget to try it.
I’ve done a similar screen-cast before, but that’s using OpenIDM 3.x. Be wary of the fact that the software used in this screen-cast is not yet read for Production. But now that the ForgeRock Management have given us this clue on the road ahead for the ForgeRock Products, it makes sense to start exploring it (if not already done).
So in the video below, you’ll see the lightning fast installation of both OpenIDM and OpenDJ and configuration of OpenDJ as an External Resource for OpenIDM.
No one wants to stay logged in on to the User Interface of a Provisioning Tool, waiting for the approval requests to flood into their queue in order to take an appropriate action. We have other things to do in life and for matters that require our attention we all expect notifications, don’t we? Without doubt, one very common and an easy channel for notification is Email, which some consider to be the first and the last killer app of the Internet. Just like many other configurations, setting up Outbound Email in ForgeRock OpenIDM is a walk in the park. If you have just over 5 minutes to spare, watch how it’s done in the video below:
This blog entry picks up from my earlier blog post around Certification facility in ForgeRock OpenIDM. Like many of my other video demonstration, this one also is based on the neat ForgeRock documentation on OpenIDM. So without any further ado, let me present unto you my video log on Certification in ForgeRock OpenIDM.
If this was a book, what we have here is a prologue. Just as you don’t expect the prologue to throw a full story at you, so does this web log unveil absolutely no details around Certification in ForgeRock OpenIDM. What it does though is to setup a ‘plot’ for a possible video demonstration on Certification facility in ForgeRock’s Identity Management Solution. And that’s coming soon…
So in the video log, that’s actually a visual representation of the brilliant ForgeRock Documentation on OpenIDM, you’ll see:
– Installation of ForgeRock OpenDJ
– Configuration of OpenDJ as an external resource managed by OpenIDM (using sample files)
– Performing the initial reconciliation using REST to load users from OpenDJ to OpenIDM
Soon we’ll put all those users in action for Certification in OpenIDM. For now, just as you’d skim through the prologue of a book, take a quick look at the ~5 minute video
This one is rather uncomplicated. ForgeRock OpenIDM does provisioning well, be it to a Directory Server, a Database or even to several other external resources. The following video log demonstrates exactly that. You’ll see:
– Super quick installation of ForgeRock OpenIDM
– Installation of PostgreSQL database, creation of user with super user role in PostgreSQL, creation of a database and finally creation of a table
– Configure the OpenIDM Database connector to connect to the PostgreSQL database table created in the above mentioned step
– And finally see how the users from OpenIDM are provisioned on to the PostgreSQL database table
It’s all very simple and easy to understand. So enjoy!
ForgeRock OpenIDM, very simply put, manages the identity, not necessarily of users all the time. In a short video demonstration that follows, I’ve taken efforts to show you a very simple user provisioning workflow in OpenIDM. When an employee in an organization initiates an onboard contract, the workflow is launched and the request reaches a manager, who then pickups the request and approves (or reject) it. Consequently, the new user’s identity is provisioned on a resource.
What’s in the video is a simple exercise and I strongly encourage anyone interested in ForgeRock’s Identity Management solution to try it and see. Well, if you say you aren’t familiar with the OpenIDM installation, that isn’t difficult either, you can watch it here.
– Setting up SSL in MySQL database
– Configuring OpenIDM to use SSLto the MySQL database (its internal repository)
Like several other videos that I’ve already published on this blog space around ForgeRock products, this one also makes use of Ubuntu 14.10 host 0S. A Linux Container running Ubuntu 14.04.2 LTS is where we’ve our ForgeRock OpenIDM and MySQL database running. The illustration below might help you get a quick picture about the infrastructure used for the screen-cast:
The following video log is a very light one, partly because I haven’t done a video on REST interface around OpenIDM, but have done similiar ones for both OpenDJ and OpenAM, and partly because I’m feeling too sleepy to do a screen-cast on tougher topics. Talking of REST, in case if you haven’t seen my earlier reference to a neat and curt introduction to ForgeRock Common REST API, read it here.
Again, for those who are not familiar with REST calls to OpenIDM, the embedded video below might just give an idea of how to create a user and fetch a user profile in OpenIDM using REST.
On this site, I’ve written another couple of posts around ForgeRock OpenIDM. If you’re not familiar with OpenIDM, I’d recommend reading/watching those (mentioned below), before viewing the video log embedded at the end of this post.
Video logs on the links above are quite detailed, but if you’ve not much time to spare to watch all of it, not to worry, the installation of OpenIDM and configuration of MySQL as its internal repository is quickly covered in the following screen-cast as well.
The below illustration might give you a rough idea about the infrastructure that I used to perform the demonstration on OpenIDM Cluster Configuration. I’ve a Host Operating System of Ubuntu 14.10 in which there are many Linux Containers. Two of LXCs named ‘my-openidm’ & ‘my-openidm2’ are used to install two separate instances of ForgeRock OpenIDM (say ‘node1’ & ‘node2’). A directory named ‘/software’ on the Host OS that has all required binaries is shared as ‘/source’ inside the Linux Containers. For brevity, I’ve included only the relevant LXCs in the illustration as follows:
Please use the embedded video for a quick reference. For a detailed study on how the OpenIDM works in a cluster, please refer to the ForgeRock documentation.
ForgeRock OpenIDM comes bundled with OrientDB. But the use of OrientDB as an internal repository for OpenIDM is not recommended in a production environment. A list of supported JDBC repositories for production use with OpenIDM can be found here. In this post, you’ll find a screen-cast that demonstrates the configuration of MySQL as an internal repository for OpenIDM. The following video log, however, does not demonstrate the installation of OpenIDM, but if interested you can watch the OpenIDM installation here.
This post picks up from an earlier one and maybe it makes sense to have look at that first before going through this one. So now that we have ForgeRock OpenIDM running inside a Linux Container, in the video log embedded below, we integrate it with ForgeRock OpenDJ. We’ll then use OpenIDM to provision users on to the OpenDJ. Here’s a summary of what you get to see in the video:
– A quick look at the existing installation of ForgeRock OpenIDM and ForgeRock OpenDJ
– Configuring OpenIDM with LDAP connector during startup using available sample files
– Reconciliation of identifies from ForgeRock OpenDJ to ForgeRock OpenIDM
– Provisioning users from ForgeRock OpenIDM to ForgeRock OpenDJ
Chronologically, this is my third blog update around ForgeRock software stack, the first two being Installation of OpenDJ in a Linux Container and ForgeRock OpenAM Installation in a LXC. While none of these entries have any dependency on each other whatsoever, it is recommended to watch it in order so as to get a fairly uncomplicated idea on the infrastructure being used for demonstrations. In the video logs embedded in all the blog posts as mentioned above, the ForgeRock products are being installed in Linux Containers in Ubuntu Linux flavour that in turn is running in a Virtual Box. Because I thought it maybe relatively effortless for you to sit back and enjoy watching a video rather than reading through a lengthy essay, I’m sticking to my idea of publishing my screen-cast on installation of ForgeRock OpenIDM in a Linux Container. In the screencast, you’ll find:
– Creating new linux container for installation of OpenIDM
– Installation of OpenIDM in a LXC
– Starting/stopping OpenIDM Services
– Accessing OpenIDM using REST calls
– Accessing OpenIDM using BUI
– Configuring OpenIDM as a run control script in Ubuntu Linux
With a hope that this screencast will give you a some understanding on getting started with ForgeRock OpenIDM, I here unto present it for you:
We will figure out how to use OpenIDM for Identity provisioning in a later segment, not too far in the future. In the mean time, if you would like to browse away the features of ForgeRock OpenIDM, its documentation can be found here.