ForgeRock Community Blog Syndicate

Some questions have popped up in the OpenIDM mailing list regarding integration with various database packages, and with a little help from one of our skilled engineers, here is a little cookbook recipe on how to swiftly and easily integrate with Oracle DB for your provisioning purposes.

Currently there is no public JSON configuration file available for Oracle DBs since the database schemas are different, however ForgeRock provides sample configuration files at http://sources.forgerock.org/browse/openidm/trunk/openidm-zip/src/main/resources/samples/provisioners

One of OpenIDMs governing principles is to be modular and it uses OSGi as its modularity framework so In order to make the DB connectors work you need an OSGi enabled JDBC driver for your Database. The downside is that unfortunately there are not many driver jars ready for OSGi so you need to repack your own.

There is a how-to for Oracle here: https://bugster.forgerock.org/jira/browse/OPENIDM-580

This also works for MS SQL JDBC or http://sourceforge.net/projects/jtds/files/ and deploy to the OpenIDM bundle folder. If you have the proper active JDBC driver then you can use any of these:

http://openicf.forgerock.org/connectors/db.html connectors.

openicf-scriptedsql-connector-1.1.0.0.jar openicf-scriptedsql-connector-1.1.0.1-SNAPSHOT.jar openicf-databasetable-connector-1.1.0.0-SNAPSHOT.jar openicf-db2-connector-1.1.0.0-SNAPSHOT.jar openicf-mysqluser-connector-1.1.0.0-SNAPSHOT.jar openicf-oracle-connector-1.1.0.0-SNAPSHOT.jar

Download the one you need to /openidm/connectors folder and restart OpenIDM. There is a CLI tool to generate the configuration file;

./cli.sh configureconnector oracle Using boot properties at /openidm/conf/boot/boot.properties 0. XML version 1.1.0.0 1. org.forgerock.openicf.scriptedsql.ScriptedSQLConnector version 1.1.0.0 2. Oracle Connector version 1.1.0.0-SNAPSHOT 3. CSV File Connector version 1.1.0.0 4. LDAP Connector version 1.1.0.0 5. Exit Select [0..5]: 2 Edit the configuration file and run the command again. The configuration was saved to /openidm/temp/provisioner.openicf-oracle.json

You can edit the provisioner.openicf-oracle.json and run the command again. It will connect to your Oracle DB server and populate the schema part of the config file. If you connect to a DB Table then:

./cli.sh configureconnector myOracleDBTable Using boot properties at /openidm/conf/boot/boot.properties 0. XML version 1.1.0.0 1. org.forgerock.openicf.scriptedsql.ScriptedSQLConnector version 1.1.0.0 2. Oracle Connector version 1.1.0.0-SNAPSHOT 3. CSV File Connector version 1.1.0.0 4. LDAP Connector version 1.1.0.0 5. Database Table Connector version 1.1.0.0-SNAPSHOT 6. Exit Select [0..6]: 5 Edit the configuration file and run the command again. The configuration was saved to /openidm/temp/provisioner.openicf-myOracleDBTable.json

So with the above done – its time to start CRUD:ing. Happy CRUD!

As Oracle effectively is putting the nails in the coffin and forever burying Sun Identity Manager (known now as Oracle Waveset) six feet under, it is time to react. The replacement decision customers will make will have a huge impact on the strategy around Identity Management going forward. Some customers will be bashed with the application centric, vendor locked-in message from Oracle, to migrate to Oracle Identity Manager or persuaded by traditional large vendors to pick their offering instead.
Fortunately there are alternatives that does not put you in the corner, allows you to be in control and establish a strategy that fits your needs at a cost that is reasonable; one of them being ForgeRock OpenIDM.

Lets look at four the typical use-cases a typical Sun IdM customer have deployed and discuss how OpenIDM matches up.

1.) Orphan account detection
Sun IdM provides a reconciliation engine allowing customers with XPRESS rules to define correlations between target resource accounts and the virtual identity in Sun IdM. The reconciliations runs per resource, compares and produces situations on whether accounts are matched, unmatched, not known etc. OpenIDM offers a similar reconciliation engine allowing these correlation rules to be migrated from XPRESS to JavaScripts. The reconciliation results are similar to what Sun IdM offers and also exposes the capabilitiy of invoking custom reactions to a discovered situation such as running a script or invoking a BPMN 2.0 workflow. The reconciliation similar to Sun IdM also provides the necessary information needed to produce reports such as orphan accounts reports.

2.) Authoratative Source driven provisioning
Sun IdM provides the mechanism of ActiveSync, where certain connectors or resource adapters are extended with the capability of reacting to near real-time (via scheduled polling). The ActiveSync process then discovers CREATE, UPDATE or DELETE situations on resource accounts and three different workflows parses a set of forms (typically referred to as ActiveSync forms) to manage the attribute transformations and identity data flow.
OpenIDM offers a similar capability and also leverages the same set of connectors as Sun IdM. In the world of OpenIDM this capability is referred to as LiveSync. The LiveSync process is typically a scheduled process running as a background process and instead of UserForms and XPRESS to define the transformations, these are specified in mappings describing the flow from one system to another. The LiveSync life-cycle offers a number of hooks that allows you to specify actions such as running custom scripts or invoking workflow offering the same flexibility and capabilites as Sun IdM.

3.) Password Management
A typical quick-win and low hanging fruit with Sun IdM was that once resource adapters or connectors were configured, the password management aspect came with the setup. Sun IdM allows you to specify governing password policy according to company requirements and enforce them during password resets. Sun IdM also allowed to intercept passwords on Active Directory by deploying a special plugin on the AD domain controllers. Self Service capabilties to reset passwords was by default managed using challenge/response questions that could either be specified by administrator or self-defined, or a combination of the two.

OpenIDM provides equal functionality to manage passwords, specify policies using flexible regular expressions in JavaScript rules, to reset and change passwords accordingly and to leverage challenge questions to do self-service resets. OpenIDM also provides a plugin for AD to intercept passwords and allow them to be synchronized as well as a plugin for OpenDJ to expose the same capability there.

4.) Self Service requests
Sun IdM allows you to quickly and easily expose custom workflows that can interact with the virtual identity and the underlying integrated resources to do attribute updates or to provision new accounts etc. OpenIDM exposes the same capability but instead of using a proprietary workflow definition language, leverage the industry standard BPMN 2.0 to specify workflows.

OpenIDM has been designed with flexibility, modularity, scalability and developer-friendlyness in mind. That means it is a perfect fit for the same reasons Sun IdM was probably selected in the first place, but without any proprietary technologies being used required specific training. Time to make a decision; stuck in the corner or making a move that gives you options in the future?

I’m just back from a week of business trip to Mexico City. This was my first time in Mexico and I’ve heard all the rumors of it being a very dangerous city. I must say that I’ve seen a very very big city, vibrant, busy, with a lot of car trafic, but at no point I had any fear of being robbed or molested.

Two things have marked me during my stay. First, the city is very green. There are lots of trees, plants, flowers everywhere. All main avenues are borded by trees. It’s like mother nature is trying to tell us that she still exists despite the concrete and buildings.

The other thing is that at any time of the day or the night, there are people in the street, trying to earn a little bit of money, selling water, tissues or balloons.

The food was amazing. I enjoyed tacos, fresh fruits, some argentinian bife, jalapeños… Spicy, but not “mucho picante”. As well as beers like Victoria, Bohemia, Dox Equis, Modelo… And tequila of course !

Other photos from my trip are on Google+

By the way, we did work this week in Mexico.

Below is a photo of the screen as we’ve finished importing the customers’ data in OpenDJ (the data includes a few hundreds of groups, each averaging 40 000 members). I like this kind of performance number ! And I will probably say more about the hardware and settings to achieve that in a future post.

I shall say a big thank you to our partner in Mexico and Latin America : NoLogin. They’ve made everything to make my stay safe and comfortable, including with jalapeños and tequila !

I hope the few companies I visited will turn into customers. I’d like to come back again in Mexico. These 5 days have just gone to0 fast. And I’ve just started to get into lutta libre

Filed under: General Tagged: customers, ForgeRock, mexico, opendj, performance

Like Ozzy Osbourne, we too want to sing about REST but not Ezekiel’s troubled sea. The world of Representational State Transfer (REST) is the rebirth of HTTP as something more meaningful than a prefix in your browser.

So getting back to the origins of GET and POST (familiar friends), delving into PUT and  DELETE (probably strangers), and bringing it full circle to CRUD (relations you have to invite to every party) we are deep within the psyche of OpenAM where all things good are now viewed with RESTful glasses.

Embracing OAuth2 as a powerful emerging standard and revamping the OpenAM Identity Services that provided a REST-like interface to core functionality is only the start. The shift to a resource-oriented architecture (ROA) is underway and hopes to bring lightweight, flexible access to many more features of this great product.

Stay tuned for updates, and enjoy some Ozzy.

This week marks an important event in the life of ForgeRock:  OpenAM 10.0.0 has been released !

Thanks to the ForgeRock team, our customers and of course to all our community members that have contributed either by sending us feedback in the mailing list, by rising issues in bugster, adding documentation in the wiki, or contributing with code and extensions. There are many names that I would like to put in a list, but you know who you are and you soon will receive a thanks email !

A large amount of the code base has been audited and cleaned up, and as a result the overall quality has been improved. Since the initial release of OpenAM more than a thousand bugs, security issues and improvements have been resolved. OpenAM 10.0.0 includes improvements in the areas of Federation with SAML 2.0 and OAuth 2.0, application integration with OpenIG, Risk Based Authentication, and key enhancements in security, reliability, performance and the underlying replication architecture.

These are some of the key enhancements:

Open Identity Gateway (OpenIG): A high performance identity proxy that expedites the integration of web applications into an OpenAM Single Sign-On environment without touching the application. Ideal for legacy applications where changes to the security model are contraindicated. OpenIG also extends the SAML 2.0 Service Provider capabilities of the OpenAM offering. Risk Based Authentication: Measure the risk associated with an authentication event and challenge with additional stronger credentials if the need arises. This is now part of the authentication framework and includes capabilities such as geographic location evaluation, time since last login, number of authentication failures check, ip address history check, cookie associated with a device check and attribute profile check, among others. OAuth 2.0 authentication: Users can now federate their accounts from Google, Facebook, MSN, and any OAuth 2.0 provider with OpenAM. SAML 2.0 Identity Provider enhanced capabilities that ease the interaction with end-users for several tasks such as approval of attribute release to service providers. This is implemented as an additional hook into the SAML 2.0 framework. ForgeRock’s OpenDJ 2.4.5 is now the embedded configuration store.

Please read the official announcement, the release notes  and take a peek to the documentation. Everything is download-able from the usual place, the Maven Repository has been also updated and the build has been tagged in the repository as 10.0.0.

As usual, your feedback to the mailing list and your participation in the community is very welcome.

Let’s keep rocking  !

OpenAM 10 is out and hits the market with a respectable range of new features. Nudging double digits is no trick and reflects a maturity and age of the product that stretches back towards the last millenium. Living that long in the world of software is not achieved lightly and involves constantly re-visiting the techniques and technologies used to stay on top of the pile.

Bill Nelson,  has published the “The Most Complete History of Directory Services You Will Ever Find” (until the next one comes along), a detailed history of LDAP based directory services and products. Expect a few updates as people find about this and ask for adding new data points. But this is the most complete summary I’m aware of. I had a timeline of Sun directory products a few years ago, but Bill’s has more details.

His post includes a visual timeline of the directory service products and their heritage, linked here under, for your convenience.

Click on the picture for a full size image.

Personally, I’ve been involved with the Sun and derived lines since 1996, and now drive the ForgeRock one: OpenDJ !

Filed under: Directory Services Tagged: directory, directory-server, dsee, ForgeRock, history, ldap, opendj, openldap, sun

This is a big milestone for ForgeRock and the OpenAM project, an open source WebSSO, Authentication, Authorization, Federation and Entitlements solution. After months of development (a few more than we anticipated), we’ve finally released OpenAM 10.0.0, a major version of the product.

OpenAM 10 brings a set of new features, including support for OAuth 2.0 client authentication, the ForgeRock Identity Gateway (built out of project OpenIG), enhanced SAML 2 identity provider capabilities, a new Risk Based Authentication module, …  It also now relies on OpenDJ 2.4.5, the latest stable release of OpenDJ the open source LDAP directory server, and supports the internet-draft based LDAP password policy. You can find more details  in the press announcement, or the product release notes. The documentation of the OpenAM 10 release can be read at http://docs.forgerock.org/en/index.html?product=openam&version=10.0.0.

The OpenAM 10 release owes a lot to the OpenAM community, for the issues raised : a total of 41 issues fixed in OpenAM 10 were raised by 26 different persons, and for the generous patches offered to fix over a dozen of these issues.
To each and every contributor : THANK YOU !

Filed under: Identity Tagged: ForgeRock, openam, opensource, opensso, release, security, websso

Another week goes by, and it’s time for another tab sweep.

Syntegrity Networks, one of our major partners in the US, has launched a campaign to encourage their customers to migrate from Sun Directory Server to OpenDJ.

Silverpeas, a Collaborative Platform, built as open source under the GNU Affero license by the eponym company, has been supporting LDAP for authentication and authorization for some time. The documentation for setting up the LDAP domain has been updated using OpenDJ as the recommended server.

ForgeRock OpenIDM capabilities are growing. After getting OpenIDM to work with Activity to provide workflows, the team posted a experimental tutorial to integrate Jasper with OpenIDM to produce nice reports. You can find more of these tutorials in the OpenIDM How To Collection.

Filed under: Identity Tagged: directory, directory-server, ForgeRock, identity, ldap, opendj, openidm, opensource

Well, lots of things have changed since the last time I blogged, and yes, I know, it has been a very long time!

So first, some updates. I am now VP Community at Forgerock, as well as leading the OpenAM Engineering team. This is currently taking most of my time.

First, let me talk about OpenAM Engineering. Forgerock is currently hiring, and looking for Java engineers to work on all of our products, especially out of the portland engineering center. I am based in the Portland office, and we are building a team of strong engineers, in both development and support.

We are in the process of hiring development engineers, QA Engineers, Tech Pubs, as well as Support Engineers. If you are interested in working at a really cool company, with really good people, please drop us a line, and send your resume to jobs@forgerock.com.

Jonathan Scudder is also in OpenAM Engineering, and is the OpenAM Architect. The architects are trying to work out all the challenges in implementing Jamie’s direction, of common code, and reuse across all products.

Building the team in the Portland Engineering Center is my primary goal over the next several months.

My other focus, is one of my passions. Community. I will be focusing on community matters this year, attending many of the identity conferences, as well as many of the development, and opensource conferences.

I will be attending the Kantara initiative meeting in Munich this week, and then I am speaking on a panel at the KuppingerCole European Identity Conference also in Munich.

Stop by and say hello if you are going to be there, and feel free to let me know if there are any conferences you think we should attend!

Stay tunes for OpenAM Release 10, due out in a week or so.