SAML2 as ForgeRock OpenAM 13 Authentication Module Instance

This blog post was first published @, included here with permission.

Well, you’ve possibly heard about the release of newer version of the ForgeRock Identity Platform with several enhanced capabilities. If not, you can read about it all here. One of the new features in the Access Management component of ForgeRock Identity Platform is SAML2 Authentication Module. What that offers is, after configuring Federation, we could supply all the required details like the IDP entity, the binding method etc. in an Authentication Module instance of the ForgeRock Access Management solution and use it just like any other Authentication Module (LDAP, Database, HOTP etc.). Let’s see how that’s done in a video demonstration that follows this write up. And, by the way, if you’d like to get a quick idea what’s new in the newer version of ForgeRock Access Management solution, read the release notes here.

We’ve already discussed OpenAM Federation on this space before. Here’s list of links from the past:

ForgeRock OpenAM Federation Using SAML v2
Using SAML Assertion Attributes in ForgeRock OpenAM

While the following video walks through the OpenAM Federation Configuration from the scratch, if you feel there are details missing in it, please feel free to have a look at the web logs mentioned above. The main focus of the screen-cast below is only to see how SAML2 is used as an Authentication Module instance in the version 13 of ForgeRock OpenAM.

The following illustration might give a quick idea on what’s demonstrated in the video embedded below this post.

Now on to the screen-cast. Enjoy!

Installing WebSphere on Linux

In order to test/resolve certain WebSphere specific OpenAM bugs, I decided to install this lovely container on a brand new Ubuntu VM. Now I must tell, I’m slightly biased towards open source containers, as they tend to be actually usable and aren’t as overcomplicated as their enterprise competitors (yes I’m talking about you WebSphere and WebLogic). So keeping that in mind let’s see what kind of suffering does one have to go through to get to a running WebSphere instance. NB: this is mostly a rant, the mostly useful info can be found at the bottom of this post. :)

How not to do it

I started with searching for “download ibm websphere 8.5.0”, and after a few clicks I figured out a few things:

  • There are service packs for each release or something alike, and apparently is the latest for 8.5.0
  • There is also a release called 8.5.5
  • According to Wikipedia 8.5.5 can run on Java 8 as well

Since I like shiny new things, and one can only hope that new is always better, I decided that I want to install 8.5.5. After visiting the 8.5.5 pages I had to realize that installing 8.5.5 has the prerequisite of having 8.5.0 installed (enterprise software, eh), so let’s go back to the downloads again…
The descriptions of the downloads are rather dubious, so I ended up downloading the first downloadable thing, and hoped for the best. Of course at this point I didn’t even wonder why the hell I need to download 2.4 GiB worth of ZIP files for an application server…
So I have unzipped the 2 downloaded files and I had to conclude that simply put there is no binary file that you can actually run. It turns out that the files that I just got now, are files that can be utilized by an IBM Installation Manager (facepalm). Of course there is little to no information about whether all the IM versions are actually able to install all existing IBM software, but who knows, maybe I’ll get lucky.

Nope. The IBM Installation Manager doesn’t really allow you to install anything by default, you need to add repositories manually to get it working (why it doesn’t come with default set of repositories that allows installing anything is beyond me), so I end up trying to point IM towards my unzipped files and it seems like it’s able to pick up that repository.config file just fine. Trying to install anything still yields the same error though about not having any repositories present or that the ones configured have nothing installable. Just great.
The problem must be that I’m using the wrong version of the IM, and maybe an older version will be able to work with my downloaded, right? So I start to look for an IM version that is recommended for, after some random Google hits I find a documentation that mentions 1.5.3 version of IM, and I’ll attempt to download it, but I hit a new problem now.

Apparently writing 64 bit software for Linux seems to be a difficult thing to do for IBM, and the only downloadable items are for 32 bit Linux and some very weird 64 bit platforms that I’ve never heard of before. Downloading the 32 bit version of IM and then installing the following packages on Ubuntu helped a little bit:

apt-get install lib32z1 libgcc1:i386

But even with this old version of IBM IM I’m unable to install At this point I just start to search a lot more, and finally I get to the holy grail.

How to install WebSphere

Search for WebSphere Express Trial and go through some silly registration process then make sure you uncheck all options about contacting you and if you did everything right, you will get access to a WebSphere installer (somehow downloading the Express does not have the prerequisite of installing 8.5.0, no comment).

Once installed using the IBM Installation Manager you should realize that the IBM JDK shipped with WebSphere is a 32 bit only application, so make sure you’ve ran the above apt-get command beforehand.

Create a custom profile

I still don’t really know what a profile is meant to be, but I had this strong urge to create one, as everything in WebSphere seems to rely on these things. So I came up with the following commands:

$ bin/ -create -templatePath /opt/IBM/WebSphere/AppServer/profileTemplates/default -profileName default -profilePath /opt/IBM/WebSphere/AppServer/profiles/default
$ bin/ -setDefaultName -profileName default

Making my profile the default one should mean that I don’t have to use the -profileName default all the time when interacting with the CLI, so hopefully that will make my life easier in the long run.

At this stage I should mention that if for some reason the profile creation just hangs and doesn’t want to finish at all, then apparently your problem is that your /bin/sh does not map to /bin/bash! I mean what the hell…

Using IBM JDK7

Foolishly I thought that a standalone IBM JDK7 can be utilized by WebSphere, but of course I couldn’t really get that to work (not sure how to make managesdk aware of an external JDK installation), so I had to follow the official guide of downloading a WebSphere specific IBM JDK7, and then I had to use the managesdk utility to ensure that my default profile will use IBM JDK7:

$ bin/ -setNewProfileDefault -sdkName 1.7_32

That’s it, after all this you should be able to run WebSphere with the following command:

$ bin/ server1 # No idea where that server1 comes from

Once WebSphere is running you can access the admin console at http://localhost:9060/ibm/console (if you only enter localhost:9060 you will face an error message to be absolutely user friendly), and your applications should be theoretically under port 9080 (because who needs to be consistent with every other container and port 8080).

Next time I’ll blog about OpenAM instead, promise. :)

New version of ForgeRock Identity Platform™

This week, we have announced the release of the new version of the ForgeRock Identity Platform, which brings new services in the following areas :

  • Continuous Security at Scale
  • Security for Internet of Things (IoT)
  • Enhanced Data Privacy Controls


This is also the first identity management solution to fully implement the User-Managed Access (UMA) standard, making it possible for organizations to address expanding privacy regulations and establish trusted digital relationships. See the article that Eve Maler, VP of Innovation at ForgeRock and Chief UMAnitarian posted to explain UMA and what it can do for you.

A more in depth description of the new features of the ForgeRock Identity Platform has also been posted.

The ForgeRock Identity Platform is available for download now at

In future posts, I will detail what is new in the Directory Services part, built on the OpenDJ project.

Filed under: Identity Tagged: access-management, Directory Services, ForgeRock, identity, Identity Relationship Management, opendj, platform, release, security, uma

Nouvelle version de la Plateforme Identité de ForgeRock

Cette semaine nous venons d’annoncer la nouvelle version de la Plateforme d’Identité de ForgeRock (ForgeRock Identity Platform™).


La Plateforme d’Identité de ForgeRock est maintenant capable d’évaluer dans son contexte et en continu, l’authenticité des utilisateurs, des appareils et des objets.

Cette nouvelle version est aussi la première solution qui offre le support de la norme “User Managed Access” (UMA) qui permet aux individus de partager, contrôler, autoriser et révoquer l’accès aux données de façon sélective, et donc offrent aux entreprises une solution ouverte et standardisée pour protéger et contrôler la confidentialité des données de leurs clients et employés. Ces besoins de confidentialité et de gestion du consentement deviennent importants dans le domaine de la santé, des objets connectés ou même dans le secteur des services financiers.

Pour mieux comprendre “UMA” et les services offerts par la Plateforme d’Identité de ForgeRock, je vous propose de regarder cette courte vidéo (en Anglais).

La plateforme ForgeRock Identity Platform est disponible en téléchargement dès à présent à l’adresse :

Les détails des nouveautés de cette version sont sur le site de ForgeRock.

Filed under: InFrench Tagged: ForgeRock, identité, identity, opensource, plateforme, platform, release, uma

What’s new in the ForgeRock platform release

ForgeRock LogoPerhaps you have read yesterday’s news about ForgeRock launching the updated identity platform.

Those of us who spent the last year working on this update are proud of all the new capabilities, from the integration achieved with common components to the depth and breadth of new features across all the products in the platform.

Looking for detailed lists of what’s new? Here are some quick links to each of the products’ release notes:

I’ll drill down on some of those in future posts.

The break is over

This has been a year since my last post…

In the meantime, quite a few things happened: a baby boy in february, a new flat, some major OpenIG refactorings, and 2 releases.

Quite a busy year after all :)

Let’s have some kind of retrospective on the year…

January under the West Coast Sun

2015 started (from a professional point of view) very smoothly: we had our yearly company meeting on the first week of January!

Heading to San Diego, US west coast, 7 time zones to cross, we started the journey at 4am (CET) and finally arrived at 7pm (PST).

We had 3 wonderful days, meeting with Forgerockers from all around the globe. Nice place and weather, cool team building activities, interesting people: everything was here for a great week!

That was a pleasure to finally met with people that you usually only interact through HipChat/Skype. We had good feedback from sales and sales engineering on OpenIG. Engineering breakout sessions had been organized (well un-organized, unconference style :)), stateless session, new (common) projects were on the plate.

That was a very pleasant (to say the least) experience, leaving us both eager to attend the next one and energized for the year :)

New Web Site

You probably noticed already since this is not really new at the time of writing, but we launched a whole new web site: good-bye Maven generated sites (well they are still around because some content did not find yet its new home), welcome to the future:

  • Gamification support (you gain points when you participate)
  • Ease access to online resources (downloads, docs, sources, blogs, …)
  • General and per-project forums
  • CSS harmony ;)

Rebranded Documentation

Mark and his team did an amazing job this year to refresh the documentation’s style.

I have to admit that the first time I saw the new documentation, it was like … Wow!

That was so refreshing, reading the doc became again a pleasure.

Note that the documentation team continued on their way and they also provided a documentation that fits perfectly in ForgeRock’s backstage site!

Good job guys !

Great Git Migration

Ahhh, a technical item, finally (I can hear you, you know ;)).

Since day one, OpenIG’s source code (and most probably other ForgeRock projects) have been hosted on a Subversion server.

It was time to move on.

Frankly, I don’t recall having used subversion for OpenIG :) The first thing I’ve done when I’ve been hired was to git svn clone the OpenIG source code!

Over time, I demoed Git features to co-workers and team members, and gradually, they did their own clones and start enjoying working on local branches, reworking history, …

So, at the end, I think we were the most ready team for Git migration: from developers to QA and doc writers everybody felt quite comfortable with Git!

We have the chance of being a small (but still complex enough) project. That make OpenIG the candidate of choice for trying imports, giving feedback, and most important: being the first product migrated!

Kudos to the release engineering team for achieving this huge task, providing support for the whole company!

New Hires !

The OpenIG project has welcomed 2 new hires in 2015: Laurent Vaills (Senior Developer) and Joanne Henry (Doc Writer).

Laurent started in difficult conditions: his first day was all preparing the San Diego trip, and then moving to the US! That could have been worse :)

Technically Joanne started in the beginning of 2016, just like Laurent: jumping in with the annual company meeting.

Welcome to both of you.

Not One but Two OpenIG Releases

The team did a tremendous job for releasing 2 OpenIG versions in 2015:

  • OpenIG 3.1.1, a sustaining release with important bug fixes for customers
  • OpenIG 4.0.0, a major release with loads of features: UMA, PEP, STS (more on theses weirds acronyms in a later dedicated post), …

This year in numbers in OpenIG-land:

  • 68384 lines were added
  • 101208 lines were deleted
  • 521 commits
  • 13 contributors
  • 172 pull requests

That was a busy year, I’ve told you so :)

ForgeRock welcomes Joanne Henry

Welcome to Joanne Henry who joined the ForgeRock documentation team today. Good to work with you again, Joanne.

Joanne has experience as a technical writer and team leader for a variety of projects from chips to consumer electronics to medical software to LDAP. In all of these situations, Joanne has managed to deliver useful documentation for users and to improve the way the team works.

Joanne’s now bringing her diligence, clear thinking, and focus to the OpenIG project. Good news for those of you figuring out how to protect your applications and APIs!