For the ForgeRock Identity Platform version 6, integration between our products is easier than ever. In this blog, I’ll show you how to integrate ForgeRock Identity Management (IDM), ForgeRock Access Management (AM), and ForgeRock Directory Services (DS). With integration, you can configure aspects of privacy, consent, trusted devices, and more. This configuration sets up IDM as an OpenID Connect / OAuth 2.0 client of AM, using DS as a common user datastore.
Setting up integration can be a challenge, as it requires you to configure (and read documentation from) three different ForgeRock products. This blog will help you set up that integration. For additional features, refer to the following chapters from IDM documentation: Integrating IDM with the ForgeRock Identity Platform and the Configuring User Self-Service.
While you can find most of the steps in the IDM 6 Samples Guide, this blog collects the information you need to set up integration in one place.
This blog post will guide you through the process. (Here’s the link to the companion blog post for ForgeRock Identity Platform version 5.5.)
Preparing Your System
For the purpose of this blog, I’ve configured all three systems in a single Ubuntu 16.04 VM (8 GB RAM / 40GB HD / 2 CPU).
Install Java 8 on your system. I’ve installed the Ubuntu 16.04-native openjdk-8 packages. In some cases, you may have to include export JAVA_HOME=/usr in your ~/.bashrc or ~/.bash_profile files.
Create separate home directories for each product. For the purpose of this blog, I’m using:
Install Tomcat 8 as the web container for AM. For the purpose of this blog, I’ve downloaded Tomcat 8.5.30, and have unpacked it. Activate the executable bit in the bin/ subdirectory:
$ cd apache-tomcat-8.5.30/bin
$ chmod u+x *.sh
As AM requires fully qualified domain names (FQDNs), I’ve set up an /etc/hosts file with FQDNs for all three systems, with the following line:
192.168.0.1 AM.example.com DS.example.com IDM.example.com
(Substitute your IP address as appropriate. You may set up AM, DS, and IDM on different systems.)
If you set up AM and IDM on the same system, make sure they’re configured to connect on different ports. Both products configure default connections on ports 8080 and 8443.
Download AM, IDM, and DS versions 6 from backstage.forgerock.com. For organizational purposes, set them up on their own home directories:
Unpack the zip files. For convenience, copy the Example.ldif file from /home/idm/openidm/samples/full-stack/data to the /home/ds directory.
For the purpose of this blog, I’ve downloaded Tomcat 8.5.30 to the /home/am directory.
Configuring ForgeRock Directory Services (DS)
To install DS, navigate to the directory where you unpacked the binary, in this case, /home/ds/opendj. In that directory, you’ll find a setup script. The following command uses that script to start DS as a directory server, with a root DN of “cn=Directory Manager”, with a host name of ds.example.com, port 1389 for LDAP communication, and 4444 for administrative connections:
$ ./setup \
--rootUserDN "cn=Directory Manager" \
--rootUserPassword password \
--hostname ds.example.com \
--ldapPort 1389 \
--adminConnectorPort 4444 \
--baseDN dc=com \
--ldifFile /home/ds/Example.ldif \
Earlier in this blog, you copied the Example.ldif file to /home/ds. Substitute if needed. Once the setup script returns you to the command line, DS is ready for integration.
Installing ForgeRock Access Manager (AM)
Use the configured external DS server as a common user store for AM and IDM. For an extended explanation, see the following documentation: Integrating IDM with the ForgeRock Identity Platform. To install AM, use the following steps:
- Set up Tomcat for AM. For this blog, I used Tomcat 8.5.30, downloaded from http://tomcat.apache.org/.
- Unzip Tomcat in the /home/am directory.
- Make the files in the apache-tomcat-8.5.30/bin directory executable.
- Copy the AM-6.0.0.war file from the /home/am directory to apache-tomcat-8.5.30/webapps/openam.war.
- Start the Tomcat web container with the startup.sh script in the apache-tomcat-8.5.30/bin directory. This action should unpack the openam.war binary to the
- Shut down Tomcat, with the shutdown.sh script in the same directory. Make sure the Tomcat process has stopped.
- Open the web.xml file in the following directory: apache-tomcat-8.5.30/webapps/openam/WEB-INF/. For an explanation, see the AM 6 Release Notes. Include the following code blocks in that file to support cross-origin resource sharing:
Important: Substitute the actual URL and ports for your AM and IDM deployments, where you see http://am.example.com:8080 and http://idm.example.com:9080. (I forgot to make these once and couldn’t figure out the problem for a couple of days.)
- If you’ve configured AM on this system before, delete the /home/am/openam directory.
- Restart Tomcat with the startup.sh script in the aforementioned apache-tomcat-8.5.30/bin directory.
- Navigate to the URL for your AM deployment. In this case, call it http://am.example.com:8080/openam. You’ll create a “Custom Configuration” for OpenAM, and accept the defaults for most cases.
- When setting up Configuration Data Store Settings, for consistency, use the same root suffix in the Configuration Data Store, i.e. dc=example,dc=com.
- When setting up User Data Store settings, make sure the entries match what you used when you installed DS. The following table is based on that installation:
- When the installation process is complete, you’ll be prompted with a login screen. Log in as the amadmin administrative user with the password you set up during the configuration process. With the following action, you’ll set up an OpenID Connect/OAuth 2.0 service that you’ll configure shortly for a connection to IDM.
- Select Top-Level Realm -> Configure OAuth Provider -> Configure OpenID Connect -> Create -> OK. This sets up AM as an OIDC authorization server.
- Set up IDM as an OAuth 2.0 Client:
- Select Applications -> OAuth 2.0. Choose Add Client. In the New OAuth 2.0 Client window that appears, set openidm as a Client ID, set changeme as a Client Secret, along with a Redirection URI of http://idm.example.com:9080/oauthReturn/. The scope is openid, which reflects the use of the OpenID Connect standard.
- Select Create, go to the Advanced Tab, and scroll down. Activate the Implied Consent option.
- Press Save Changes.
- Go to the OpenID Connect tab, and enter the following information in the Post Logout Redirect URIs text box:
- Press Save Changes.
- Select Services -> OAuth2 Provider -> Advanced OpenID Connect:
- Scroll down and enter openidm in the “Authorized OIDC SSO Clients” text box.
- Press Save Changes.
- Navigate to the Consent tab:
- Enable the Allow Clients to Skip Consent option.
- Press Save Changes.
AM is now ready for integration.
Now you’re ready to configure IDM, using the following steps:
- For the purpose of this blog, use the following project subdirectory: /home/idm/openidm/samples/full-stack.
- If you haven’t modified the deployment port for AM, modify the port for IDM. To do so, edit the boot.properties file in the openidm/resolver/ subdirectory, and change the port property appropriate for your deployment (openidm.port.http or openidm.port.https). For this blog, I’ve changed the openidm.port.http line to:
- (NEW) You’ll also need to change the openidm.host. By default, it’s set to localhost. For this blog, set it to:
- Start IDM using the full-stack project directory:
- $ cd openidm
- $ ./startup.sh -p samples/full-stack
- (If you’re running IDM in a VM, the following command starts IDM and keeps it going after you log out of the system:
nohup ./startup.sh -p samples/full-stack/ > logs/console.out 2>&1& )
- As IDM includes pre-configured options for the ForgeRock Identity Platform in the full-stack subdirectory, IDM documentation on the subject frequently refers to the platform as the “Full Stack”.
- In a browser, navigate to http://idm.example.com:9080/admin/.
- Log in as an IDM administrator:
- Username: openidm-admin
- Password: openidm-admin
- Reconcile users from the common DS user store to IDM. Select Configure > Mappings. In the page that appears, find the mapping from System/Ldap/Account to Managed/User, and press Reconcile. That will populate the IDM Managed User store with users from the common DS user store.
- Select Configure -> Authentication. Choose the ForgeRock Identity Provider option. In the window that appears, scroll down to the configuration details. Based on the instance of AM configured earlier, you’d change:
||Matching entry from Step 5 of Configuring AM (openidm)
||Matching entry from Step 5 of Configuring AM (changeme)
- When you’ve made appropriate changes, press Submit. (You won’t be able to press submit until you’ve entered a valid Well-Known Endpoint.)
- You’re prompted with the following message:
- Your current session may be invalid. Click here to logout and re-authenticate.
- When you tap on the ‘Click here’ link, you should be taken to http://am.example.com:8080/openam/<some long extension>. Log in with AM administrative credentials:
- Username: amadmin
- Password: <what you configured during the AM installation process>
If you see the IDM Admin UI after logging in, congratulations! You now have a working integration between AM, IDM, and DS.
Note: To ensure a rapid response when the AM session expires, the IDM JWT_SESSION timeout has been reduced to 5 seconds. For more information, see the following section of the IDM ForgeRock Identity Platform sample: Changes to Session and Authentication Modules.
Building On The ForgeRock Identity Platform
Once you’ve integrated AM, IDM, and DS, you can:
To visualize how this works, review the following diagram. For more information, see the following section of the IDM ForgeRock Identity Platform sample: Authorization Flow.
If you run into errors, review the following table:
||Check for typos in the OAuth 2.0 client Redirection URI.
|This application is requesting access to your account.
||Enable “Implied Consent” in the OAuth 2.0 client.
Enable “Allow Clients to Skip Consent” in the OAuth2 Provider.
|Upon logout: The redirection URI provided does not match a pre-registered value.
||Check for typos in the OAuth 2.0 client Post Logout Redirect URIs.
|Unable to login using authentication provider, with a redirect to preventAutoLogin=true.
||Check for typos in the Authorized OIDC SSO Clients list, in the OAuth2 Provider.
Make sure the Client ID and Client Secret in IDM match those configured for the AM OAuth 2.0 Application Client.
|Unknown error: Please contact the administrator.
(In the dev console, you might see: Origin ‘http://idm.example.com:9080’ is therefore not allowed access.’).
|Check for typos in the URLs in your web.xml file.
|The IDM Self-Service UI does not appear, but you can connect to the IDM Admin UI.
||Check for typos in the URLs in your web.xml file.
If you see other errors, the problem is likely beyond the scope of this blog.