OpenDJ on Windows…

OpenDJ LogoOpenDJ, the LDAP directory services in Java, is supported on multiple platforms and has been for many years. We’re testing on Linux, Windows, Solaris, Mac OS X, but also different JVMs: Oracle JRE, OpenJDK, Azul Zulu, IBM JVM…

With OpenDJ 2.6, we’ve made it easier for people to install it on Linux machines by providing RPM and Debian packages.

We are now also providing a MSI package to ease the installation and removal on Windows machines. The MSI package is available for nightly builds here.

OpenDJ MSI InstallerScreen Shot 2015-01-28 at 09.14.01

Filed under: Directory Services Tagged: build, directory, directory-server, ForgeRock, identity, java, ldap, msi, opendj, package, windows

A fresh look for the OpenDJ and OpenIG snapshot documentation…

OpenDJ Administration Guide ScreenshotThanks to Chris Lee, the most recent technical writer at ForgeRock, there is now a new visual design for the snapshot documentation for our open source projects.
Check it out on the OpenDJ Administration Guide, the OpenDJ SDK Developer’s Guide, the OpenIDM Integrator’s Guide or the Guide to OpenIG

Filed under: General Tagged: community, documentation, ForgeRock, openam, opendj, openidm, openig

Top 5 Security Predictions for 2015

January can't go by without another set of prediction blogs coming our way. Be that for lifestyle, how to lose weight, how to gain weight, how to change our lives and so on.  I thought I would join the band wagon and jot down what I think will be the top 5 challenges facing organisations from a security perspective this year.  If I'm being diligent enough, I may even review it come December (only if I'm right of course...).

Customer Identity Management Will Keep CIO's Awake at Night

Many organisations are going through digital transformation processes.  Be that public sector departments wanting to streamline areas such as taxation, driving license management or health care, through to private sector organisations looking to reduce costs or open new market opportunities.

Digital initiatives are everywhere.  Don't believe me? Check out how many CDO (Chief Digital Officers) now exist on LinkedIn - over 3000 in the UK alone.  These new approaches to product and service delivery, require a strong hold on the identity and access management requirements of customers.  Customer registration, authentication, two-factor authentication and device finger printing, are just a few of the topics hitting the to do list of many CISO's and CIO's - all services that suddenly need rolling out to potentially millions of end users.  Big scale and big headaches will result, if a modular and scalable identity platform isn't available.

Water Cooler Chat Will Be All About Device Security and Internet of Things Madness

By now, everyone has an automated toilet, with a mood influenced flush, that instantly publishes the meta data to Twitter right?  Perhaps not, but there is no doubting, that the Internet of Things landscape is maturing rapidly and the identity of things (shameless blog plug) is going to be a huge area for device manufacturers, services providers and end users.

IoT systems and devices, have all been about communications and interoperability so far.  Adding communications services to low power and low capacity devices brings new opportunities for things like home automation, smart cities, smart cars and more.  However, as these devices collect, store and distribute data to brokers and cloud services, data privacy becomes a huge concern, especially if the data contains production plant statistics or personal health information.  The devices, and the ecosystem that supports the delivery of those devices, will need to be coated in a meta layer of security, from registration and authentication services, through to lightweight encryption and signing technology.

Passwords on the Mobile Will Disappear (Ok not entirely..)

Passwords are dead. Long live the passwords.  I think this topic has been the most written about in blog history.  Ever.  Ok, perhaps not quite ever, but the number of column inches dedicated to the next big thing in password-less authentication / how passwords can't die / how passwords will die is quite remarkable.  One thing for sure, is that the number of users accessing web content and apps via mobile devices (be that phones or tablets) is continuing to rise and outstrip the need for desktops significantly.  What that does of course, is increase the desire for less reliance on password based authentication on mobile tech.  It's simply too inconvenient and too insecure.  As mobile devices build out easier to use secure elements, the storage of crypto materials, session tokens, refresh tokens and other authentication data, will allow for the proliferation of protocols such as OAuth2 or crypto related authentication schemes, to take precedence over the traditional username and password approach.

Employees Will Want Access to More Cloud Services

Many organisations are at a cross roads when it comes to cloud services.  Many want to embrace new, as-a-service based components such as HR, payroll, collaboration and office automation systems.  They are often very simple to register and pay for, simple to set up and allow the organisation to concentrate on their key competency areas.  This does however, bring strong challenges with regards to employee provisioning and single sign on to external services.  Employees do not want to have to remember new and different usernames and passwords to access Google Apps, Salesforce or HR Factors.  Single sign on is mandatory for user convenience, as is the ability to create and remove users in a streamlined and automated fashion, using provisioning systems deeply integrated to HR rules and business logic.  These new requirements can put strain on already buckling legacy provisioning and access management systems, that were often conceived and implemented long before the 'cloud' was cool.

Consumers Will Want More Control and Transparency Over Their Data

This last one is interesting.  I don't think this is suddenly a new requirement or concern for 2015. I think it has always been the case, that consumers are very keen to keep their on line identity secure, their banking details safe and their national insurance or social security number locked up.  However, as more and more devices require and process our personal data, end users are becoming more enlightened with regards to how their data is used and stored.

The Internet of Things takes this to a new level, with many more services, apps and devices wanting to consume, process and potentially redistribute personal data.  End users want to have a clear, simple and transparent method of not only sharing data, but also having the ability to revoke previously granted access to personal data.  We are probably some way off this being a reality, but protocols such as OAuth2 and User Managed Access can go some way to help fulfil these newer requirements.

By Simon Moffatt

OpenAM 12 and Social Authentication

Many OpenAM deployments are consumer-facing where organizations are looking to deliver a great service to their existing, and new, customers. Earlier, we talked about how self-service registration in OpenAM 12 makes it easy for new customers to sign up, but even a simple web form is too much trouble for some people (myself included).

So the arrival of Social Authentication in OpenAM 12 is warmly welcomed. This means that administrators can quickly roll out support for social identities, from the likes of Google, Facebook and Microsoft, and customers or users get a great new way to sign in by simply clicking on the social Identity Provider (IDP) logo.
No more registration forms, just easy and rapid access to your OpenAM protected service.

Here's how it works:


The OpenAM administrator needs an account with the relevant IDP but then he simply:
  1. Registers the OpenAM server deployment as a Client App with the Social IDP;
  2. Configures OpenAM using these newly created Client App ID details at the IDP;
  3. That's it! Users can now login using their Google/Facebook/Microsoft credentials.


(In this example we'll use Google but the same basic procedure is used with all the IDPs.)
Firstly, I go to my Social IDP registration page. At the time of writing these are:
...and create a project or app.

With Google it goes like this (click on the screenshots to zoom in):
(1) Create a Project:

(1a) For Google, we also need to enable the Google+ API:

(2) In a separate browser window, go to the Administration Console of OpenAM, go to the Common Tasks pane and click on the appropriate IDP, Google in our case:

(3) Copy the pre-filled Redirect URL from OpenAM:
(4) Now return to the Google developer console browser window and create a new Client ID:

(5) Paste the previously copied Redirect URL to associate it with this Client ID:

(6) Now copy the Google Client ID and Secret and paste them back into OpenAM:

(7) On clicking Create, OpenAM uses this information to automatically configure:

  1. An OAuth2/OpenID Connect authentication module;
  2. An authentication chain containing this authentication module;
  3. A social service which can be queried by the OpenAM user interface or other REST clients to get information about the configured social authentication providers.

User Experience

Now we'll look at the user experience...
(1) When the login page is reached the new OpenAM 12 XUI, which is a smart javascript client, queries the REST endpoint of the social authentication service to discover what is available. This endpoint provides a logo which is displayed as part of the login dialog:

(2) When the user clicks on this logo, she is redirected to the social authentication page:

(3) The first time the user does this a consent page is displayed:

(4) and on Accepting this, the user is logged in to OpenAM:

OpenAM can optionally create new accounts based on data gleaned from the social IDP so that services using OpenAM can identify and provide a rich experience to returning social users.


Social Authentication in OpenAM 12 takes only a few minutes for administrators to configure.
For sites looking to make life as easy as possible for new customers or users, Social Authentication is a great option.

- FB