Currently there is no public JSON configuration file available for Oracle DBs since the database schemas are different, however ForgeRock provides sample configuration files at http://sources.forgerock.org/browse/openidm/trunk/openidm-zip/src/main/resources/samples/provisioners

One of OpenIDMs governing principles is to be modular and it uses OSGi as its modularity framework so In order to make the DB connectors work you need an OSGi enabled JDBC driver for your Database. The downside is that unfortunately there are not many driver jars ready for OSGi so you need to repack your own.

There is a how-to for Oracle here: https://bugster.forgerock.org/jira/browse/OPENIDM-580

This also works for MS SQL JDBC or http://sourceforge.net/projects/jtds/files/ and deploy to the OpenIDM bundle folder. If you have the proper active JDBC driver then you can use any of these:

http://openicf.forgerock.org/connectors/db.html connectors.

Download the one you need to /openidm/connectors folder and restart OpenIDM. There is a CLI tool to generate the configuration file;

You can edit the provisioner.openicf-oracle.json and run the command again. It will connect to your Oracle DB server and populate the schema part of the config file. If you connect to a DB Table then:

So with the above done – its time to start CRUD:ing. Happy CRUD!

Lets look at four the typical use-cases a typical Sun IdM customer have deployed and discuss how OpenIDM matches up.

1.) Orphan account detection
Sun IdM provides a reconciliation engine allowing customers with XPRESS rules to define correlations between target resource accounts and the virtual identity in Sun IdM. The reconciliations runs per resource, compares and produces situations on whether accounts are matched, unmatched, not known etc. OpenIDM offers a similar reconciliation engine allowing these correlation rules to be migrated from XPRESS to JavaScripts. The reconciliation results are similar to what Sun IdM offers and also exposes the capabilitiy of invoking custom reactions to a discovered situation such as running a script or invoking a BPMN 2.0 workflow. The reconciliation similar to Sun IdM also provides the necessary information needed to produce reports such as orphan accounts reports.

2.) Authoratative Source driven provisioning
Sun IdM provides the mechanism of ActiveSync, where certain connectors or resource adapters are extended with the capability of reacting to near real-time (via scheduled polling). The ActiveSync process then discovers CREATE, UPDATE or DELETE situations on resource accounts and three different workflows parses a set of forms (typically referred to as ActiveSync forms) to manage the attribute transformations and identity data flow.
OpenIDM offers a similar capability and also leverages the same set of connectors as Sun IdM. In the world of OpenIDM this capability is referred to as LiveSync. The LiveSync process is typically a scheduled process running as a background process and instead of UserForms and XPRESS to define the transformations, these are specified in mappings describing the flow from one system to another. The LiveSync life-cycle offers a number of hooks that allows you to specify actions such as running custom scripts or invoking workflow offering the same flexibility and capabilites as Sun IdM.

3.) Password Management
A typical quick-win and low hanging fruit with Sun IdM was that once resource adapters or connectors were configured, the password management aspect came with the setup. Sun IdM allows you to specify governing password policy according to company requirements and enforce them during password resets. Sun IdM also allowed to intercept passwords on Active Directory by deploying a special plugin on the AD domain controllers. Self Service capabilties to reset passwords was by default managed using challenge/response questions that could either be specified by administrator or self-defined, or a combination of the two.

OpenIDM provides equal functionality to manage passwords, specify policies using flexible regular expressions in JavaScript rules, to reset and change passwords accordingly and to leverage challenge questions to do self-service resets. OpenIDM also provides a plugin for AD to intercept passwords and allow them to be synchronized as well as a plugin for OpenDJ to expose the same capability there.

4.) Self Service requests
Sun IdM allows you to quickly and easily expose custom workflows that can interact with the virtual identity and the underlying integrated resources to do attribute updates or to provision new accounts etc. OpenIDM exposes the same capability but instead of using a proprietary workflow definition language, leverage the industry standard BPMN 2.0 to specify workflows.

OpenIDM has been designed with flexibility, modularity, scalability and developer-friendlyness in mind. That means it is a perfect fit for the same reasons Sun IdM was probably selected in the first place, but without any proprietary technologies being used required specific training. Time to make a decision; stuck in the corner or making a move that gives you options in the future?

Two things have marked me during my stay. First, the city is very green. There are lots of trees, plants, flowers everywhere. All main avenues are borded by trees. It’s like mother nature is trying to tell us that she still exists despite the concrete and buildings.

The other thing is that at any time of the day or the night, there are people in the street, trying to earn a little bit of money, selling water, tissues or balloons.

The food was amazing. I enjoyed tacos, fresh fruits, some argentinian bife, jalapeños… Spicy, but not “mucho picante”. As well as beers like Victoria, Bohemia, Dox Equis, Modelo… And tequila of course !

Other photos from my trip are on Google+

By the way, we did work this week in Mexico.

Below is a photo of the screen as we’ve finished importing the customers’ data in OpenDJ (the data includes a few hundreds of groups, each averaging 40 000 members). I like this kind of performance number ! And I will probably say more about the hardware and settings to achieve that in a future post.

I shall say a big thank you to our partner in Mexico and Latin America : NoLogin. They’ve made everything to make my stay safe and comfortable, including with jalapeños and tequila !

I hope the few companies I visited will turn into customers. I’d like to come back again in Mexico. These 5 days have just gone to0 fast. And I’ve just started to get into lutta libre

So getting back to the origins of GET and POST (familiar friends), delving into PUT and  DELETE (probably strangers), and bringing it full circle to CRUD (relations you have to invite to every party) we are deep within the psyche of OpenAM where all things good are now viewed with RESTful glasses.

Embracing OAuth2 as a powerful emerging standard and revamping the OpenAM Identity Services that provided a REST-like interface to core functionality is only the start. The shift to a resource-oriented architecture (ROA) is underway and hopes to bring lightweight, flexible access to many more features of this great product.

Stay tuned for updates, and enjoy some Ozzy.

Thanks to the ForgeRock team, our customers and of course to all our community members that have contributed either by sending us feedback in the mailing list, by rising issues in bugster, adding documentation in the wiki, or contributing with code and extensions. There are many names that I would like to put in a list, but you know who you are and you soon will receive a thanks email !

A large amount of the code base has been audited and cleaned up, and as a result the overall quality has been improved. Since the initial release of OpenAM more than a thousand bugs, security issues and improvements have been resolved. OpenAM 10.0.0 includes improvements in the areas of Federation with SAML 2.0 and OAuth 2.0, application integration with OpenIG, Risk Based Authentication, and key enhancements in security, reliability, performance and the underlying replication architecture.

These are some of the key enhancements:

Please read the official announcement, the release notes  and take a peek to the documentation. Everything is download-able from the usual place, the Maven Repository has been also updated and the build has been tagged in the repository as 10.0.0.

As usual, your feedback to the mailing list and your participation in the community is very welcome.

Let’s keep rocking  !