Mike Jang on life as a sys admin

In case you missed the Ignite talks at OSCON 2014, Mike Jang presented what it’s like for a tech writer to take over the role of sys admin.

Excellent talk, Mike! Short, sweet, and had me smiling the whole time.

(Somehow we need to work Edvard Munch into the admonition graphics, too.)

Will it blend? Configure OpenAM to use Ping’s OIDC RP module

OpenAM can be configured as an OpenID Connect provider.  Ping provides an open source relying party (RP) module for Apache that supports OIDC. This module is an an Apache filter that protects pages and requires the user to authenticate with an OIDC provider. The module asserts the user's identity to proxied applications by setting HTTP headers.

  • A recent OpenAM 12 build. Subscription customers can contact ForgeRock to get the required functionality in OpenAM 11.x
  • The Ping OIDC module from here https://github.com/pingidentity/mod_auth_openidc
  • Configure OpenAM as an OIDC provider
  • Create an Agent for the Ping module (Realm -> Agents -> OAuth2 -> new agent)

The Apache configuration details will depend on your O/S distribution. Create an Apache .conf file for the OIDC module and include it your configuration . Here is an example:

OIDCProviderIssuer https://openam.example.com:8443/openam
OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize
OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo
OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off
OIDCClientID apache
OIDCClientSecret password
OIDCScope "openid email profile"
OIDCRedirectURI https://www.example.com:1443/openam/redirect_uri
OIDCCryptoPassphrase password
<Location /openam/>
Authtype openid-connect
require valid-user

The OIDC connect configuration will depend on the details of your OpenAM installation. Things to watch out for:

  • Add the redirect uri to OpenAM's agent configuration. In the above example the Apache server is available at www.example.com. The redirect_uri from above is not a real web resource (you will not find a page that corresponds to that URL). The Ping module intercepts requests to the URL to handle the OAuth protocol dance.
  • The Location directive (/openam) protects pages at that root with the OIDC module. This is just an example - you do not need to use /openam. 

Self-service user registration and password reset

If you are following the progress of OpenAM in the nightly builds you'll have seen that there has been a fair bit of effort in the new User Interface or XUI. This is a richer UI that uses the REST APIs exposed by OpenAM and so it also serves as a good example for others looking to build their own apps.

But apart from just looking a lot nicer, XUI uses a few newer REST calls to deliver some useful new functionality too. For example, most help-desk calls revolve around setting up new accounts and forgotten passwords. And when we're talking about internet facing services, as with Identity Relationship Management, this problem rapidly scales up to become a nightmare. So one of the aims of XUI is to support self-service user registration and password reset, reducing costs and increasing customer satisfaction at the same time.

It's easy to try this out for yourself. With a recent nightly build of OpenAM do this:
  1. Configure the REST Security Service globally or per realm:
    • global: Configuration...Global...REST Security.
    • per realm: <realmname>...Services, add the REST Security service. 
    • (Note: the name of this service may change before OpenAM 12 is released ;-) )
  2. Turn on the services you require:

Then when you next hit the Login page you'll see the new self-service options there for you to try:

Both Self-service Registration and Password Reset use mail as part of the process, so remember to setup up your email service in OpenAM (globally in Configuration...Global or per Realm as a Service).

When you click on "Register" the process is then:
  • Supply an email address and you're emailed a link: 
  • Click on the link to complete the registration process
  • et Voilà!
Simple eh?

- FB