In case you missed the Ignite talks at OSCON 2014, Mike Jang presented what it’s like for a tech writer to take over the role of sys admin.
Excellent talk, Mike! Short, sweet, and had me smiling the whole time.
(Somehow we need to work Edvard Munch into the admonition graphics, too.)
Since I’ve started working at ForgeRock, I’ve had hard times to explain to my non-technical relatives and friends, what we were building. But those days are over.
Thanks to our Marketing department, I can now refer them to our “ForgeRock Story” video :
Filed under: Identity
OpenAM can be configured as an OpenID Connect provider. Ping provides an open source relying party (RP) module for Apache that supports OIDC. This module is an an Apache filter that protects pages and requires the user to authenticate with an OIDC provider. The module asserts the user's identity to proxied applications by setting HTTP headers.
- A recent OpenAM 12 build. Subscription customers can contact ForgeRock to get the required functionality in OpenAM 11.x
- The Ping OIDC module from here https://github.com/pingidentity/mod_auth_openidc
- Configure OpenAM as an OIDC provider
- Create an Agent for the Ping module (Realm -> Agents -> OAuth2 -> new agent)
The Apache configuration details will depend on your O/S distribution. Create an Apache .conf file for the OIDC module and include it your configuration . Here is an example:
OIDCScope "openid email profile"
The OIDC connect configuration will depend on the details of your OpenAM installation. Things to watch out for:
- Add the redirect uri to OpenAM's agent configuration. In the above example the Apache server is available at www.example.com. The redirect_uri from above is not a real web resource (you will not find a page that corresponds to that URL). The Ping module intercepts requests to the URL to handle the OAuth protocol dance.
- The Location directive (/openam) protects pages at that root with the OIDC module. This is just an example - you do not need to use /openam.
If you are following the progress of OpenAM in the nightly builds
you'll have seen that there has been a fair bit of effort in the new User Interface or XUI. This is a richer UI that uses the REST APIs exposed by OpenAM and so it also serves as a good example for others looking to build their own apps.
But apart from just looking a lot nicer, XUI uses a few newer REST calls to deliver some useful new functionality too. For example, most help-desk calls revolve around setting up new accounts and forgotten passwords. And when we're talking about internet facing services, as with Identity Relationship Management
, this problem rapidly scales up to become a nightmare. So one of the aims of XUI is to support self-service user registration and password reset, reducing costs and increasing customer satisfaction at the same time.
It's easy to try this out for yourself. With a recent nightly build
of OpenAM do this:
- Configure the REST Security Service globally or per realm:
Turn on the services you require:
- global: Configuration...Global...REST Security.
- per realm: <realmname>...Services, add the REST Security service.
- (Note: the name of this service may change before OpenAM 12 is released ;-) )
Then when you next hit the Login page you'll see the new self-service options there for you to try:
Both Self-service Registration and Password Reset use mail as part of the process, so remember to setup up your email service in OpenAM (globally in Configuration...Global or per Realm as a Service).
When you click on "Register" the process is then:
- Supply an email address and you're emailed a link:
- Click on the link to complete the registration process
- et Voilà!
Great article about ForgeRock and its CTO and founder, that tells a lot about the culture of the company: Forgerock’s startup journey.
Filed under: General