ForgeRock OpenIDM User Provisioning Workflow

This blog post was first published @ www.fedji.com, included here with permission.

ForgeRock OpenIDM, very simply put, manages the identity, not necessarily of users all the time. In a short video demonstration that follows, I’ve taken efforts to show you a very simple user provisioning workflow in OpenIDM. When an employee in an organization initiates an onboard contract, the workflow is launched and the request reaches a manager, who then pickups the request and approves (or reject) it. Consequently, the new user’s identity is provisioned on a resource.

This video demonstration owes heavily to this section of ForgeRock documentation.

What’s in the video is a simple exercise and I strongly encourage anyone interested in ForgeRock’s Identity Management solution to try it and see. Well, if you say you aren’t familiar with the OpenIDM installation, that isn’t difficult either, you can watch it here.

Enjoy!

Adding User Profile Attribute in ForgeRock OpenAM

This blog post was first published @ www.fedji.com, included here with permission.

In my earlier blog post titled Extending the ForgeRock OpenDJ Schema there was an embedded screen-cast that demonstrated how a new attribute could be added to the user profile in OpenDJ. We take one step further in this section to modify at Service in ForgeRock OpenAM to display that attribute in OpenAM Console. So if you’ve watched or if you know how to extend the OpenDJ schema to add a new user attribute, the following video log will tell you what you need to do on OpenAM to display it in the console.

Enjoy!

Extending the ForgeRock OpenDJ Schema

This blog post was first published @ www.fedji.com, included here with permission.

I had made a promise in my earlier post. This one is intended to fulfill it. One of the common requirements of any Directory Services solution is to extend the attributes that it supports. In the following video log that has a running time of just over a dozen minutes, you’ll see how to add a new attribute to the OpenDJ instance.

Enjoy!

Accessing ForgeRock OpenDJ Administration GUI (OpenDJ Control Panel) from a Ubuntu Linux Container

This blog post was first published @ www.fedji.com, included here with permission.

You will find an entry on my blogs that talked about the installation of Linux Container and further demonstrated ForgeRock OpenDJ installation and configuration in it. In the last several days, though I posted some contents on OpenDJ, I never introduced my kind readers to the Administration GUI that the OpenDJ product comes with. That was mainly because I was struggling to get the GUI from a Linux Container. This morning I was determined more than ever before to get over this roadblock, and, boy, did manage to figure out, perhaps, one among the many ways of doing it. In the following screen-cast, you’ll see me installing VNC Server on my Linux Container (Ubuntu 14.04.2 LTS) that has OpenDJ in it and then use a VNC client from the Host OS (Ubuntu 14.10) to access the OpenDJ Control Panel, a very convenient tool to browse the OpenDJ Directory data. Very soon, you’ll see me using OpenDJ control panel for a serious reason. Thank you for your patience.

ForgeRock OpenAM 12: Switching from XUI to Legacy UI

This blog post was first published @ www.fedji.com, included here with permission.

It’s a weekend, so I don’t seem to have the mental bandwidth for a heavy duty demonstration on ForgeRock products. I’ve a very short video log that has a running time of just over a minute and half to show you how, if required, you can switch from ForgeRock OpenAM 12 XUI (default interface) to OpenAM Legacy UI.

Enjoy!

ForgeRock OpenIG: Getting Credentials from ForgeRock OpenAM

This blog post was first published @ www.fedji.com, included here with permission.

In this episode, you’ll see how ForgeRock OpenIG picks up user credentials from ForgeRock OpenAM, and gives the user access to an application. Now that’s quite a bit of information in a single line. So let’s break it down into pieces:

– A user tries to access ‘http://openig.mydomain.com:8080/replay’ url
– A Java EE OpenAM Policy Agent sitting in front of the ‘http://openig.mydomain.com:8080′ url intercepts the request from the client (user’s browser) and redirects the request to ForgeRock OpenAM (http://openam.mydomain.com:8080/openam)
– ForgeRock OpenAM will send the OpenAM Login Page back to the user
– The user supplies the credential, which the OpenAM verifies. If authentication is successful,OpenAM adds the username of the user and his/her encrypted password to the session and sends it to Java EE Policy Agent
– Java EE Policy agent validates the user’s session, gives control to OpenIG.
– Because the URL that the client requested for (http://openig.mydomain.com:8080/replay), matches a specific route (say 04-route.json) configured in OpenIG, it applies the filters in the route configuration file. The first filter will use a shared key (also known to the OpenAM) to decrypt the encrypted password sent by OpenAM. The second filter will retrieve the username and password from the exchange and replaces your browser’s original HTTP GET request with an HTTP POST login request that contains the credentials to authenticate and the third filter will remove the username and password headers before continuing to process the exchange.
– The HTTP server validates the credentials and respond back to OpenIG with user’s profile page
– OpenIG sends that response to the end user
A couple of things though: OpenAM in our setup is configured to process a ‘Password Replay’ Java Class on successful authentication. The Java EE agent in OpenAM is configured only for Single Sign On (SSO) and is configured to add the UserToken (username) and sunIdentityUserPassword (password) as session attributes in HTTP header.

The picture below may not speak thousand words, but it does speak all the words I uttered above:

OpenIGWithOpenAM

If you’re new to ForgeRock OpenIG, I recommend viewing screen-casts at the following links first:
ForgeRock OpenIG Installation & Configuration
ForgeRock OpenIG: Getting Credentials from File Data Source
ForgeRock OpenIG: Getting Credentials from JDBC Data Source

The following video would not have been possible, but with the help of ForgeRock Documentation.

Enjoy!

 

ForgeRock OpenIDM: Setting Up SSL With MySQL Internal Repository

This blog post was first published @ www.fedji.com, included here with permission.

If you’ve already seen the video demonstration on setting up ForgeRock OpenIDM to use a JDBC repository, you may now be interested to know how to secure the traffic from ForgeRock OpenIDM to its JDBC repository. So in the video that follows, you will see:

– Setting up SSL in MySQL database

– Configuring OpenIDM to use SSLto the MySQL database (its internal repository)

Like several other videos that I’ve already published on this blog space around ForgeRock products, this one also makes use of OpenIDMwithSSLtoJDBC-01

Hope you’ll find the video log useful:

Thanks
MySQL Product Documentation
ForgeRock Documentation

Setting Up ForgeRock OpenAM with HTTPS on Tomcat

This blog post was first published @ www.fedji.com, included here with permission.

This post is a demo version of the ForgeRock Documentation on Setting Up OpenAM with HTTPS on Tomcat. I had earlier published a screen-cast on the ForgeRock OpenAM deployment and Configuration on a here. Below you’ll find the steps that I run in my Ubuntu Linux Container to secure our OpenAM deployment:

– Create a Certificate & store it in keystore in a Linux Container
– Modify the Tomcat Server Configuration file (server.xml) to enable SSL (on port 8443)
– Deploy ForgeRock OpenAM
– Access OpenAM from the host OS and complete the configuration

If it’s hard for your visualize how the infrastructure looks like, here’s an illustration to make life easy.

OpenAMWithSSL

Now on to the action:

If you are not able to view the embedded video, please click here

ForgeRock OpenDJ Replication – Enabling Encryption

This blog post was first published @ www.fedji.com, included here with permission.

This is a sequel to my earlier blog update on ForgeRock OpenDJ Replication and is largely inspired by a question raised in the ForgeRock Community Website. So if you are not very familiar with the steps involved in configuring OpenDJ Replication, I suggest you read/watch it before watching the embedded video below:

One-liner about the infrastructure used: two Linux Containers, each running an instance of ForgeRock OpenDJ is already replicating the OpenDJ data, but the replication traffic is not secure. In the video demonstration that follows, we’ll tighten the security a bit by encrypting the replication traffic as well as monitor the same using wireshark running on the host OS. Well, the diagram below indicates the end state of our screen-cast:

OpenDJReplicationEncrypted

Enjoy

[If you are not able to see the embedded video, please watch it on YouTube here ]