Getting Familiar with OpenLDAP

I made some video tutorials on OpenLDAP a couple of years ago. It was my humble attempt to help all those interested to familiarize with the LDAP concepts, more specifically OpenLDAP. Lazy me, it took a while for me to organize those videos into a YouTube playlist that you see embedded below:

All learning in there is done by doing. If any of you find some information useful in it, I’d consider my efforts to have not gone in vain.

Getting Started with MySQL

Seven years ago, I had written about my experience of Taming Sakila and since then I’ve had the pleasure and privilege of discussing the world’s most popular open source Database in Oracle University classrooms for some years. While those sweet memories remain, I was a bit restless for ignoring requests from a few of my friends in helping them learn the basics of MySQL. And today, I’m happy to have been able to produce some screen-casts on helping my friends (and all those interested) get started with the MySQL Database. Over a dozen videos that are on the YouTube playlist ‘Getting Started with MySQL’ – embedded below- might just be sufficient to start learning MySQL. For a more detailed study, I’d stronly recommend the training programs on MySQL or the official MySQL documentation.



I hope some of you find these videos useful.

Addendum to ForgeRock Full Stack Configuration – Using ForgeRock OpenIG

This is an extension of an earlier post that demonstrated ForgeRock Full Stack Configuration, comprising OpenDJ, OpenAM and OpenIDM. In here we’ll plug in ForgeRock OpenIG to route traffic to/from OpenAM and OpenIDM. In the video log that follows, you’ll see:

– All urls that hit OpenIG, containing a string ‘openam’ getting redirected to OpenAM URL
– All urls that hit OpenIG, that does not contain the string ‘openam’ getting redirected to:

  1. OpenAM for Authentication if there is no valid User session and then on to OpenIDM UI
    2. OpenIDM UI if there is a valid User sessionOpenIDM UI

So here’s the extended illustration

AddendumToFullStackConfiguration

Now on to the video.Enjoy!

Scripted SQL Connector in ForgeRock OpenIDM 4

ForgeRock Identity Management solution includes generic Groovy Connector Toolkit that enables you to run Groovy scripts on any external resource. You can read more about it here. Lifted verbatim from the OpenIDM 4 documentation mentioned above:”To facilitate creating your own scripted connectors with the Groovy Connector Toolkit, OpenIDM provides a scripted connector bundler. ” I followed Instructions in there (as well as in the README file of the ‘sample3’ in OpenIDM installation directory), to build a ScriptedSQL Connector to connect OpenIDM to a MySQL Database and my Video Log is below:

Enjoy!

Configuring Password Validator in ForgeRock OpenDJ 3

– How do we set a Minimum/Maximum Password length in ForgeRock OpenDJ?
– How do we impose the Users to use certain Special characters in their OpenDJ password?
– How do we have the Users use a alphanumberic string as their OpenDJ password?
– How do we create a Custom Password Validator (one that validates a Password against certain rules as the ones above)?

Well if these questions bother you, just like it happened to a friend of mine a day ago, the following video might help get some answers:

Related Videos/Documentation:
ForgeRock OpenDJ Documentation on Password Policy
ForgeRock OpenDJ Password Policy Part I – Service Based Password Policy [Video]
ForgeRock OpenDJ Password Policy Part II – Sub Entry Based Password Policy [Video]

ForgeRock Full Stack Configuration

If you’re in a hurry to know what each of the ForgeRock Identity Platform Components is meant to do, try the Full Stack Configuration. In just over fifteen minutes, you’ll see:

– Installation of ForgeRock OpenDJ
– Deployment of ForgeRock OpenAM
– Configuration of OpenDJ as an Identity Repository in ForgeRock OpenAM
– Installation of ForgeRock OpenIDM
– Configuring OpenDJ as External Resource in OpenIDM
– Running a reconciliation in OpenIDM from OpenDJ
– Provisioning a User from OpenIDM to OpenDJ
– Using OpenAM as the Authentication Module for OpenIDM

With a much awaited weekend around the corner, I couldn’t really get over the laziness to create a better illustration than the one below to help visualize what’s mentioned above.

ForgeRockFullStack

Please watch it, if you have some time. Enjoy!

Thanks: ForgeRock Product Documentation

Deploying a Highly Available ForgeRock Identity Management Solution

We have already discussed on this space the installation of ForgeRock Identity Management Solution and further configuring a Database as its repository. But in those discussions, all the critical components of the Solution namely the ForgeRock OpenIDM 4, MySQL Database were a Single Point of Failure. In an environment where business continuity is critical, we ought to build a solution that has no SPOF in the architecture. So I’m going to take you through that route today. Of course, this is a hint and just a way to understand the different options that you might consider in Configuring ForgeRock OpenIDM 4 for High Availability.

I’ve a rather simple example of HA configuration, mainly meant for understanding and learning it. In a sensitive infrastructure, a great deal of planning goes into building a Highly Available Environment. So what’s the small little setup we’ve here for learning:

ForgeRock OpenIDM 4 High Available Configuration

Two instances of ForgeRock OpenIDM 4 connects to a MySQL Proxy, which in turn talks to a MySQL Replication site. Of course, in this setup, MySQL Proxy is a SPOF, so you should have at least two of it in front of the MySQL Replication site. But if I had attempted to it, the whole thing would have looked a lot more complicated and would have failed the objective of being a learning tool. So if you’ve just under a half an hour to spare, you will know:

– How to use MySQL Proxy
– How to setup MySQL Replication (Master/Slave)
– How to install OpenIDM 4
– How to configure OpenIDM 4 to use a MySQL Database as its Repository
– How to bring up an OpenIDM Cluster environment

Well, the final state is what you get to see in the illustrations above.

Now on to the video. Enjoy!

ForgeRock OpenIG 4 As OpenAM Policy Enforcement Point

We know of it as a job usually done by the OpenAM Web/J2EE Policy Agent to enforce a Policy Decision sent by the Access Management Solution. To help you recollect, this is how it works:

– An End User tries to access a resource (say, a URL)
– The Web/J2EE Policy Agent deployed in the Container, intercepts the requests and redirects the request to Access Management Solution
– The Access Management Solution, first Authenticates the User, does a redirection to the the Resource (URL), where Agent would again receive it
– The Agent would now ask the Access Management Solution whether the Authenticated User has access to the Protected Resource (Authorization)
– Based on the policies defined in the Access Management Solution for the Protected Resource, it constructs a Decision and sends it back to the Agent
– Whatever the decision Agent receives from the Access Management (whether to ALLOW or DENY access to the Protected Resource), the Agent Enforces it!

The story in the video below is a bit different. In fact, the protagonist is different. The honours of Enforcing a Policy Decision sent by OpenAM is on ForgeRock OpenIG 4. As for the flow, it by and large remains what is mentioned above, just that the OpenIG uses its Route Configuration file to decide whether it should redirect the Client requests to OpenAM (should the SSO Cookie is absent in the request), ask OpenAM for Policy Decisions on Protected URLs by Authenticated Users and finally to enforce a Decision that is sent by OpenAM (whether to ALLOW or DENY access to Protected URLs).

Very roughly, here’s an illustration of the flow:
ForgeRock OpenIG 4 As ForgeRock OpenAM 13 Policy Enforcement Point

To see it in action, watch the screen-cast below. Enjoy!


Related Documentation:
ForgeRock OpenIG Documentation

Upgrade to ForgeRock OpenDJ 3.0

As you know, the newer version of ForgeRock Directory Services is out. Based on the ForgeRock OpenDJ 3.0 documentation, here’s my video log (~3 minutes) on the OpenDJ upgrade process, which could be considered a resource to learn and evaluate the OpenDJ upgrade process. Needless to emphasize, an activity as Upgrade of a Production on a Production environment requires detailed Analysis and Planning before execution.

Related Documentation and other Useful Links:
ForgeRock OpenDJ 3 Documentation – Upgrade
Ludo’s Sketches: What’s new in OpenDJ 3 – Part I
Ludo’s Sketches: What’s new in OpenDJ 3 – Part II
Ludo’s Sketches: What’s new in OpenDJ 3 – Part III

ForgeRock OpenIG 4 – Getting Credentials from ForgeRock OpenAM 13

Interested to see how ForgeRock Identity Gateway orchestrates with the ForgeRock Access Management solution to replay a User Credential on to a Legacy Application giving him/her access to it? There’s a screen-cast right below this write up. I had already posted a couple of entries on this space, demonstrating how OpenIG fetches User Credentials from different Datastores like a CSV file and a JDBC Database. While it’s not a prerequisite to know it before viewing the Video below, it might help get a good grip on the steps performed. So if you haven’t come across those blog entries yet, here it is:

ForgeRock OpenIG 4 – Getting Credentials from File Datastore
ForgeRock OpenIG 4 – Getting Credentials from Database

What to expect in the video?

– A user tries to access ‘http://openig.mydomain.com:8080/replay’ url
– A Java EE OpenAM Policy Agent sitting in front of the ‘http://openig.mydomain.com:8080′ url intercepts the request from the client (user’s browser) and redirects the request to ForgeRock OpenAM (http://openam.mydomain.com:8080/openam)
– ForgeRock OpenAM will send the OpenAM Login Page back to the user
– The user supplies the credential, which the OpenAM verifies. If authentication is successful,OpenAM adds the username of the user and his/her encrypted password to the session and sends it to Java EE Policy Agent
– Java EE Policy agent validates the user’s session, gives control to OpenIG.
– Because the URL that the client requested for (http://openig.mydomain.com:8080/replay), matches a specific route (say 04-route.json) configured in OpenIG, it applies the filters in the route configuration file. The first filter will use a shared key (also known to the OpenAM) to decrypt the encrypted password sent by OpenAM. The second filter will retrieve the username and password from the exchange and replaces your browser’s original HTTP GET request with an HTTP POST login request that contains the credentials to authenticate and the third filter will remove the username and password headers before continuing to process the exchange.
– The HTTP server validates the credentials and respond back to OpenIG with user’s profile page
– OpenIG sends that response to the End user

Note: OpenAM in our setup is configured to process a ‘Password Replay’ Java Class on successful authentication. The Java EE agent in OpenAM is configured only for Single Sign On (SSO) and is configured to add the UserToken (username) and sunIdentityUserPassword (password) as session attributes in HTTP header. And the FQHN of OpenAM deployment in the Video demonstration is ‘idp.mydomain.com’ and not ‘openam.mydomain.com’

To satisfy your Visual Cortex, here’s an illustration of the steps above:

OpenIG Fetching Credentials from OpenAM-Modified

Now on to the step by step configuration. Enjoy!

Related Documentation / Video:
– ForgeRock OpenIG Documentation
– Screncast on ‘ForgeRock OpenIG 3.x : Getting Credentials from OpenAM

ForgeRock OpenIG 4 – Getting Credentials From Database

To know how ForgeRock OpenIG 4 is configured to fetch User Credentials from a Database for User Authentication (a process transparent to the User), the following Video log might help. I had posted a similar video on this space earlier, but that then the User Credentials were fetched from a Flat File (CSV). The flow isn’t quite different from that, just that a Filter used by ForgeRock OpenIG in this case is different and that we should configure the OpenIG to connect to the DB.

In the video, we’ll:
– Install the H2 Database. Create ‘Users’ table and load User data in it
– Configure OpenIG (deployed in Jetty) to connect to the Database
– Prepare OpenIG Route Configuration file to fetch User Credentials (based on a Email address) and post the data to HTTP Server, who responds with the User profile page

For those whose right side of the brain is more prominent, here’s the visual representation of what is mentioned above:

OpenIGGettingCredentialsfromDB-Updated

For those who don’t want to think too much looking at the illustration below, but would like to sit back, relax and enjoy watching a show, here’s the video. Enjoy!

Related Documentation/Video
ForgeRock OpenIG Documentation
Screencast on using OpenIG 3.x to Connect to a JDBC Datastore

ForgeRock OpenIG 4 – Getting Credentials From File Datastore

If we’ve just moved ahead of ‘Getting Started with OpenIG 4‘, the following screen-cast might of some interest. In fact, this is a remake of a video that’s posted here, which was based on now older version of ForgeRock OpenIG.

So what’s in the video here? We’ve a CSV file with some User details. A user tries to access a URI, which hits OpenIG, who by using some Route Configuration files, looks up User Credentials from the CSV file and posts it to the HTTP Server, to get a User Profile Page (Post Authentication Landing Page) in return. So the Client, without having to go through the inconvenience of supplying his/her User Credentials, gets the Post Authentication Landing Page from the HTTP Server. See, if my attempt to capture the flow below makes sense.

ForgeRock OpenIG 4 - Getting Credentials from File Datastore

If that didn’t make your life easy, hopefully the demonstration in the video will. Enjoy!

Related Documentation/ Video:
ForgeRock OpenIG Documentation
ForgeRock OpenIG 3.x – Getting Credentials from File Datastore

Getting Started with ForgeRock OpenIG 4

If you haven’t gotten started with the newer version of ForgeRock OpenIG, the following Video might be of some help. I’ve done this before, but using now an older version of the Product. So if you are familiar with that, then this gives you an assurance that everything continues to work as before, and that there is more to it (that’s a story for another day though). So if you haven’t gotten your hands dirty with ForgeRock’s Identity Gateway solution, I invite you to have a look at it, and everything that you may need to get started with it, you will find it in the video below.

Very quickly, let me tell what’s done in the Screen-cast:

– Install Jetty
– Deploy ForgeRock OpenIG in Jetty
– Install Minimal HTTP Server
– Configure ForgeRock OpenIG to post user Credentials to the HTTP Server to return a User Profile Page (so the authentication process is transparent to the user.

Please note that the practice of hard-coding the User Credential is something that you’ll probably never see in a real world scenario, but of course the intent here is only to get a rough idea of what the OpenIG can do. The illustration below might give you a decent idea on the flow:

GettingStartedWithOpenIG4

The video, I’m confident, will make it more clear.Enjoy!

Related Documentation/Video:
ForgeRock OpenIG Documentation
ForgeRock OpenIG (3.x) Installation and Configuration in a Linux Container

Setting Up Email and User Self Registration in ForgeRock OpenIDM 4

A few months back, I had published a post with a video demonstration on setting up Email in now older version of ForgeRock OpenIDM. If you haven’t seen it and would like to take a look at it, it’s here. Between now and then a lot of things changed, one of which is an improved UI in the recently released OpenIDM 4. If you’ve four minutes to spare, watch the video below to see how good a work has gone into the OpenIDM 4 UI improvement.

Enjoy!

ForgeRock OpenIDM 4: Installing a Repository for Production (PostgreSQL))

ForgeRock OpenIDM 4 uses OrientDB as its default datastore, which is good for learning and evaluation, but not suitable for a Production environment. In an earlier post on this space, we looked at the Configuration of MySQL database as the repository for OpenIDM 4. Picking up from there, because a site that I know of uses PostgreSQL instead of MySQL, made a quick demonstration on setting up OpenIDM 4 with PostgreSQL.

Enjoy!

Related ForgeRock Documentation:
Setting up OpenIDM with PostgreSQL

ForgeRock OpenIDM 4: Installing a Repository for Production (MySQL)

Think of this post as a remake of an earlier one done several months back. Well, just tha, the earlier blog post in reference here was based on a now older version of OpenIDM, ForgeRock‘s Identity Management Solution. As always, I’m grateful to the ForgeRock documentation team for a clean write up on the Configuration of MySQL as a repository for ForgeRock OpenIDM 4.

Related Video/Documentation:
Video – Setting Up ForgeRock OpenIDM with MySQL (OpenIDM 3.x)
Documentation – Setting up OpenIDM with MySQL

ForgeRock Authenticator (OATH) in ForgeRock OpenAM 13

If you’re in possession of a Smart Phone that runs either the Apple iOS or Android, you may probably be interested to know that the ForgeRock’s newer version of its Access Management solution now has an Authenticator App for you. Once installed and the device registered with ForgeRock OpenAM 13, one could use this Mobile App to generate One Time Password to validate his/her identity and thereby gain access to resources protected by the OpenAM. Needless to add, the ForgeRock Authenticator Mobile App is available on Apple iTunes Store for the iOS users and the Google Playstore for the Android fans.

Once installed, you’ll see on your phone something close to what is in the picture below:


ForgeRockMobileAuthenticator

Here’s what I did with my copy of ForgeRock Authenticator App on my iPhone:

– Configured an Authentication Chain ‘myAuthChain’ in my OpenAM 13 instance
– The said chain consisted of two Authentication Modules namely DataStore & ForgeRock Authenticator (OATH)
– When a subject authenticates against the ‘myAuthChain’ Authentication Chain in OpenAM, he/she is prompted for the DataStore credentials (an embedded OpenDJ instance), which on success is followed by another prompt where the user can register his/her device (using QR Code), generate an OTP that can be used to gain access to the resources protected by OpenAM.

2FAForgeRockAuthenticator

If you are interested to see all of this in action, please spare five minutes to watch the video below.

Enjoy!

Related documents/videos:
ForgeRock Documentation
Smart Security Using Phone App Demo

SAML2 as ForgeRock OpenAM 13 Authentication Module Instance

Well, you’ve possibly heard about the release of newer version of the ForgeRock Identity Platform with several enhanced capabilities. If not, you can read about it all here. One of the new features in the Access Management component of ForgeRock Identity Platform is SAML2 Authentication Module. What that offers is, after configuring Federation, we could supply all the required details like the IDP entity, the binding method etc. in an Authentication Module instance of the ForgeRock Access Management solution and use it just like any other Authentication Module (LDAP, Database, HOTP etc.). Let’s see how that’s done in a video demonstration that follows this write up. And, by the way, if you’d like to get a quick idea what’s new in the newer version of ForgeRock Access Management solution, read the release notes here.

We’ve already discussed OpenAM Federation on this space before. Here’s list of links from the past:

ForgeRock OpenAM Federation Using SAML v2
Using SAML Assertion Attributes in ForgeRock OpenAM

While the following video walks through the OpenAM Federation Configuration from the scratch, if you feel there are details missing in it, please feel free to have a look at the web logs mentioned above. The main focus of the screen-cast below is only to see how SAML2 is used as an Authentication Module instance in the version 13 of ForgeRock OpenAM.

The following illustration might give a quick idea on what’s demonstrated in the video embedded below this post.

OpenAMFederation
Now on to the screen-cast. Enjoy!

New Year Wishes – Year 2016

When the clock hands sweep two more rounds, our life takes a turn, or at least that’s what some of us believe. Not this year alone, but for several years that have gone by, many of us perhaps anticipated a complete make over once every dozen months. Three weeks into changing our calendars, a good number of us tore apart a list of life changing activities , quite seriously drafted over a New Year Eve, on every New Year Eve maybe,  one that’s not too different from what we may have in possession today. Agreed, all of it is past and is way behind us, but with a fresh start in place we might be brimming with confidence, backed up by an unprecedented optimism to run through a brand new set of resolutions that’ll keep our waistline in check, maintain a steady spend pattern, polish CV with new impressive skill sets, and last but not the least, strike a balance in life. May it be so!

A research says that a goal set on Monday or similar “temporal landmarks” is pursued more seriously than otherwise. While I don’t know of a data that talks the same way of a goal set on a New Year, I wish you achieve all of that you’ve in your mind in the year to come. Personally, I continue to believe that to gain something in life, we ought to set a goal, develop strong will, work hard, maintain enthusiasm, persevere and be grateful. For that, we can take a call ‘Here and Now’, not necessarily only on a New Year Eve.  Well, that makes my New Year look Black & White, devoid of any thrilling action. But when the world is taking a pause to reflect on the glory days of life in the past twelve months, laugh away the mistakes made, overcome the pain of losses, and look forward to offer a warm welcome to a New Year, let me stop by you to say , “Thank you”, for whatever role you played in my life, not just in the year that’s passing by, but for ever and a day, in making me what I’m today or putting me where I stand.

If we have known each other for some years now, you know well of my ritual to reach over to you on this very occasion, largely to let you know that you are in my thoughts, strong as ever before, and that I stay grateful to you for being there for me. I’ve always held my faith onto the invisible architect, who I believe, carefully constructs moments after moments in our life, even that of connecting us through Channels that, at times, appear so very strange. It’s foolish not to say “Thank God” in a note that has gratefulness painted all over it.

And if life is made up of many moments, why not spend some of it on the last day of this year in Fun and Celebration. Like you, I hardly fancy a New Year sans difficult events. All the same, I hope we can all pump in enough positivity to as much of moments as we can in the coming year for a flourishing life. So before you get busy with the fireworks tonight, here’s wishing you, your friends & family, from the bottom of my heart, a Happy, Healthy and Prosperous Year 2016.

Configuring Roles in ForgeRock OpenIDM 4

Merry Christmas!

For those interested to know how to configure Roles in ForgeRock OpenIDM, here’s my Christmas gift. A video at the end of this post will walk you through the installation of both ForgeRock OpenIDM and ForgeRock OpenDJ, configure the latter as an external resource in OpenIDM, performing reconciliation to bring in users from OpenDJ to OpenIDM. That’s not it, because all of that I’ve shown you earlier as well. Then, what’s more? Here it is:

OpenIDMRoles
So we go on and create Roles in OpenIDM, which has Managed Assignments that in turn has Attributes associated with an external resource (ForgeRock OpenDJ). So when a Role is assigned to a user in OpenIDM, based on the value of Attribute that is attached to the Role, the user will be subscribed to a group in the OpenDJ. If it sounds confusing,please don’t waste time reading it again, instead watch the video below, it’ll all be crystal clear.

Enjoy!

Installation of ForgeRock OpenIDM 4 and Configuration of ForgeRock OpenDJ as its External Resource

It’s not for no reason that I picked up ‘Whistling Down the Road’ by Silent Partner (Courtesy: Google YouTube Audio Library) as the audio background for the screen-cast embedded on this blog post. The installation of ForgeRock OpenIDM 4 is one such experience, as in like just whistling away down the road! See it to believe it and don’t forget to try it.

I’ve done a similar screen-cast before, but that’s using OpenIDM 3.x. Be wary of the fact that the software used in this screen-cast is not yet read for Production. But now that the ForgeRock Management have given us this clue on the road ahead for the ForgeRock Products, it makes sense to start exploring it (if not already done).

So in the video below, you’ll see the lightning fast installation of both OpenIDM and OpenDJ and configuration of OpenDJ as an External Resource for OpenIDM.

Enjoy!

Using SAML Assertion Attributes in ForgeRock OpenAM – Concluding Episode: Using SAML Assertion Attributes

You’ve reached the concluding episode of a four part video made on using SAML v2 Assertion attributes in an application protected by ForgeRock OpenAM. I don’t need to mention that this being the last one in the lot, it may seem pointless to read/view this entry independently without going through the entries below, preferably in the exact same order as is listed:

1. Protecting a J2EE Application with ForgeRock OpenAM
2. Configuring Federation in ForgeRock OpenAM
3. Configuring Transient Federation in ForgeRock OpenAM
4. Using SAMLv2 Assertion Attributes

We can safely say that the diagram below is the end state of our demonstration:

image05

So what we’ve in there is a client attempting to access the protected J2EE Application, which is intercepted by the OpenAM Policy Agent, who in turn redirects the request to an IDP initiated SSO URL, resulting in a Login page to the end user from IDP. The IDP would then validate the credentials supplied by the end user, and if found authentic, sends an assertion to the SP with the user attributes (like mail, telephonenumber) specified in the Federation Configuration. Because it uses Transient Federation, the user will not have a profile in SP, still the attributes in the Assertion is available in the user’s session to be used by the Agent to pass on to the application. It may have sounded complicated, but I’m confident that the concluding episode of a rather lengthy screen-cast can help you figure it all.

I want to take a moment to Thank you! to have spent time reading/viewing my web logs on ‘Using SAML Assertion Attributes’ and sincerely hope it was useful.

Enjoy!

Using SAML Assertion Attributes in ForgeRock OpenAM – Episode 03/04 : Configuring Transient Federation in ForgeRock OpenAM

This is the third episode from a four part video made on using SAML v2 Assertion attributes in an application protected by ForgeRock OpenAM. In the interest of continuity and also to get the context accurately, it may make sense to read/view the blog posts in the following order:

1. Protecting a J2EE Application with ForgeRock OpenAM
2. Configuring Federation in ForgeRock OpenAM
3. Configuring Transient Federation in ForgeRock OpenAM
4. Using SAMLv2 Assertion Attributes

Let me throw a picture at you:

image04

The diagram is a slightly modified version of the one that you would have seen in my earlier blog entry. It has one additional user in the Identity Provider (which of course seems like a world famous detective and that’s no coincidence), but no corresponding entry in the Service Provider. In the Identity Federation Configuration earlier, we saw how a user with an id ‘demo’ in the Identity Provider linked her account with her id in the Service Provider. But there can be situations, when we may want to use Federation with identities only at the IDP, still gaining access to the applications protected by the SP. That’s where Transient Federation comes into play. It maps the identities from IDP to an anonymous user in the SP (many to one mapping).

Enjoy!

Using SAML Assertion Attributes in ForgeRock OpenAM – Episode 02/04 : Configuring SAML 2.0 Federation in ForgeRock OpenAM

This is the second entry from a series of four blog entries made around using SAML v2 Assertion attributes in an application protected by ForgeRock OpenAM. Reading/viewing this as an independent entry may not be a futile exercise, but it may seem more effective if the following order is followed while going through this topic:

1. Protecting a J2EE Application with ForgeRock OpenAM
2. Configuring Federation in ForgeRock OpenAM
3. Configuring Transient Federation in ForgeRock OpenAM
4. Using SAMLv2 Assertion Attributes

At end of this episode, the following is what you get:

image03

So the diagram above shows a Circle of Trust established between two entities (an Identity Provider and a Service Provider), each of which is an OpenAM instance running in two different Linux Containers. In this scenario, a user (with id ‘demo’) has profile in both IDP and SP, and by virtue of Identity Federation, she manages to link those accounts, after which once she authenticates against the IDP, IDP can send a assertion to SP, validating the authenticity of the user.

Enjoy!

Using SAML Assertion Attributes in ForgeRock OpenAM – Episode 01/04 : Protecting a J2EE Application with ForgeRock OpenAM

This is first of four blog entries that aims at demonstrating how to use SAML Assertion Attributes in an Application protected by ForgeRock OpenAM. For the convenience of viewing, a thirty five odd minutes screen-cast has been split into four sections, the first of which is embedded on this blog post. While each entry talks of an independent facility in ForgeRock OpenAM, it makes sense to read/view them in the following order:

1. Protecting a J2EE Application with ForgeRock OpenAM
2. Configuring Federation in ForgeRock OpenAM
3. Configuring Transient Federation in ForgeRock OpenAM
4. Using SAMLv2 Assertion Attributes

Image01

As you can possibly make out from the illustration above, there are three Linux Containers being used in our demonstration, two of which runs an OpenAM instance each. A third Linux Container is used for installing a J2EE Application. The illustration captures the end state of this segment, where a J2EE Application is protected by an OpenAM J2EE Agent, making sure all client requests to it are intercepted by the Agent and redirected to the OpenAM for Authentication/Authorization.

Enjoy!

Distributed Authentication in ForgeRock OpenAM

Let me start with a word of caution. I made a screen-cast to demonstrate the Distributed Authentication in ForgeRock OpenAM and you’ll find the same embedded on this post. Some of my actions in there are questionable and should never be attempted even in a development environment, such as setting a URL in the OpenAM Administration Console to redirect to after a Successful Authentication. This video demonstration is solely intended to give a hint on the positioning of Distributed Authentication UI in OpenAM Deployment Topology, but several other things like Network/Firewall configuration, Post Authentication Processing that goes hand in hand with the Distributed Authentication in OpenAM was beyond the scope of this short screen-cast. I really hope you get an idea on what the Distributed Authentication in OpenAM is expected to achieve.

The following illustration might give you an idea on what’s demonstrated in the video. We have a client network who cannot (or who is not supposed to) access the OpenAM Server in a different Network directly (say for Security reasons). So in a Demilitarized Zone (DMZ) or Perimeter Network, we have a Server that offers a Distributed Authentication UI to the clients from the ‘untrusted network’. That way, the clients get to see the UI of OpenAM by access the Server in DMZ, who would in turn talk to the OpenAM Server through a trusted channel. As one can imagine, Network Configuration like Firewall plays an important role in a deployment scenario, but sadly that’s all beyond the scope in our mini demonstration.

DistributedAuthUI
So if you have ~10 minutes to spare, watch it

Enjoy!


Thanks: ForgeRock Documentation on OpenAM

MySQL Database as Identity Repository for ForgeRock OpenAM

ForgeRock OpenAM has three types of repositories:

(i) Configuration Repository that stores the OpenAM configuration data (ForgeRock OpenDJ)
(ii) Authentication Repository that’s used by OpenAM to Perform User Authentication (has more than 20 options out of the box)
(iii) Identity Repository that stores the User Profiles (has several options like LDAP v3, OpenDJ, AD, IBM’s Directory Server and Database [Eary Access])

Someone asked me the details on configuring a Database as the Identity Repository for ForgeRock OpenAM, so as soon as I got a chance, created the following screen-cast to demonstrate the use of MySQL Database as an Identity Repository for ForgeRock OpenAM. It’s fairly straightforward.

Enjoy!

ForgeRock OpenAM Deployment Training in Bangalore, India

Just yesterday, I concluded a five day ForgeRock University training program on ForgeRock OpenAM at Bangalore. I wish to express my sincere gratitude to each one in the picture below for showing up for a ForgeRock University course on our Access Management solution and wish them success in their ForgeRock Projects.

OpenAMDeploymentTraining
To know what we discussed during the training or to subscribe for one such program, all details are here.

If you aren’t looking for a detailed program on our Products as the one you find in the link above, we do offer half a day free (as in beer) overview session on both ForgeRock OpenAM and ForgeRock OpenIDM, the details of which are below (keep checking the links below for the next occurrence):

ForgeRock OpenAM Product Overview
ForgeRock OpenIDM Product Overview

Lastly, if you are keen to validate/demonstrate your skills in ForgeRock OpenAM, check out ForgeRock Certified OpenAM Specialist Exam.

Again, to all my friends who dropped by for the OpenAM training, thanks for all the fun and learning.

OpenAMTrainingCollage

ForgeRock OpenAM and Social Authentication (Facebook) using OAuth2

The video demonstration embedded below this write-up is dangerously similar to the video here , published more than three months ago. I’ve had challenges making this one though, which is when my colleagues Jon Knight and Albert Ayoub stepped forward to lend a helping hand. So if you ready, let’s see how ForgeRock OpenAM lets a user authenticate against his/her Facebook account to gain access to OpenAM (read applications protected by OpenAM).

Enjoy!

There is a very useful article around this right here.

ForgeRock OpenAM Federation Using SAML v2

If you experience Deja Vu by looking at the illustration just below, chances are that you’ve hit my blogs before, in particular on this entry, where we looked at ForgeRock OpenAM as an Identity Provider and ForgeRock OpenIG as a Service Provider.

A friend asked me if I could demonstrate a very simple configuration of Federation using two ForgeRock OpenAM instances, one acting as an Identity Provider (a.k.a IDP) and another one taking up the role of a Service Provider (a.k.a SP). It wasn’t difficult to do one, so here we have it embedded towards the end of this post.

OpenAMFederation

So what do we have here:

– A Circle of Trust which has two OpenAM instances, one of which acting as an Identity Provider and another one as Service Provider
– User always authenticates against the Identity Provider
– The authentication process is intiated either by the IDP (known as IDP initiated SSO) or by the SP (SP initiated SSO)
– Once the user is authenticated successfully, IDP sends across a piece of security information to the SP (known as assertion) that could contain user attributes
– SP then gives the user access to protected resources

In the demonstration that follows, because ‘Auto Federation’ is not enabled, during the first login the user will be prompted for credentials both by the IDP and the SP. Once the account linking is done, it’s only the IDP who would challenge the user.

If the illustration and the briefing above hasn’t given you the complete picture, the video below might give a better one.

Enjoy!

Managing Account Status Notification in ForgeRock OpenDJ

In a couple of blog posts published in the recent past, One on ForgeRock OpenAM and another on ForgeRock OpenIDM, we had a look at configuring E-mail Services in the aforesaid Products. And it’ll be grossly unfair, if we don’t touch upon the same topic in ForgeRock’s Directory Services solution: OpenDJ

Thanks to the following articles/documents:

ForgeRock Documentation on Managing Account Status Notification in OpenDJ
Mark Craig’s blog
Ludo’s Sketches

Thanks, also to the authors of following contents for helping with the SMTP Server Configuration:

Ubuntu Forum Thread
ArchLinux Forum Thread
DigitalOcean Tutorial

And now on to my ~15 minute long video log on Managing Account Status and Notification in OpenDJ.

Enjoy!

Sending Emails from ForgeRock OpenIDM

No one wants to stay logged in on to the User Interface of a Provisioning Tool, waiting for the approval requests to flood into their queue in order to take an appropriate action. We have other things to do in life and for matters that require our attention we all expect notifications, don’t we? Without doubt, one very common and an easy channel for notification is Email, which some consider to be the first and the last killer app of the Internet. Just like many other configurations, setting up Outbound Email in ForgeRock OpenIDM is a walk in the park. If you have just over 5 minutes to spare, watch how it’s done in the video below:

Enjoy!

Deeply indebted to this section of the ForgeRock Documentation on OpenIDM.

ForgeRock OpenIG as SAML 2.0 Service Provider

This post is based on the ForgeRock Documentation on configuring OpenIG as SAML 2.0 Service Provider. The video logs embedded just below this write up is a visual representation of what is already there in the document that I mentioned above. For a detailed study, please read through the documentation and then sit back, relax and watch the demonstration in the screen-cast below

SAML 2.0 as you probably know is a standard to exchange information between a SAML authority (a Identity Provider a.k.a IDP) and a SAML Consumer (a Service Provider a.k.a SP). In the demonstration that follows ForgeRock OpenAM acts as an Identity Provider and ForgeRock OpenIG acts as a Service Provider. So the authentication of a user is done by the IDP, who will then send a piece of information (Assertion) to the SP that could contain the attributes of user from the user’s profile in the IDP DataStore. SP will then use the information thus obtained (Assertion) to take further action (like giving access to the user etc.)

There are two ways of getting this done:
(i) SP initiated SSO
(ii) IDP initiated SSO

In simple words, in a SP initiated SSO, the user contacts the Service Provider, who in turns gets in touch with the Identity Provider, who would validate the user credentials and then exchange a piece of information (Assertion) that could contain the user attributes to the Service Provider. Whereas a IDP initiated SSO, the IDP will authenticate the user, and would then send an unsolicited message (Assertion) to the SP, who would then take further action (like giving access to the user etc.)

The following two illustrations might give a rough idea:

SAM2UsingOpenIG

In our story (above in the illustration and below in the video), a user authenticates against ForgeRock OpenAM (IDP), who will send then an assertion (containing user’s mail and employeenumber attribute) to ForgeRock OpenIG (Service Provider), who will apply filters (like extracting the attributes from assertion and posting it as username and password) to post the user’s credentials to a protected application (Minimal HTTP Server)

If you’ve got a vague picture on what’s discussed above, I’d believe it’ll be clearer after watching the video below:

Enjoy!

User Self Registration in ForgeRock OpenAM Concluding Part – Using REST

In an earlier post, we saw User Self Registration in ForgeRock OpenAM using XUI. It’s likely that you may not want to use the UI that comes with OpenAM, but may have reasons to build your own UI/Application on the REST API to operate on ForgeRock’s Access Management Solution. Keeping that in mind, a discussion on User Self Registration in OpenAM is incomplete without showing you how it is done using REST. Like many other examples you may already be familiar with around REST calls to ForgeRock products, you’ll see the usage of simple, yet powerful ‘curl’ to invoke REST calls to OpenAM for Self Registering a User. Here’s a list of related video blogs that you may want to watch before watching the one that’s embedded below.

User Self Registration in ForgeRock OpenAM Part I – Using XUI
E-mail Service Configuration in ForgeRock OpenAM

If you are ready, let’s go:

User Self Registration in ForgeRock OpenAM Part I – Using XUI

ForgeRock OpenAM is not meant for User Provisioning. Consider, ForgeRock OpenIDM for the same. Still, OpenAM does offer a facility for User Self Registration. In this segment, let’s have a look at how it’s done using the User Interface of OpenAM (XUI). As you can guess, it’s not a difficult task at all. Have a look.

Before I forget, the E-mail Service needs to be configured in OpenAM for the User Self Registration to work, so if you don’t know how that’s done, we have another video here.

Enjoy!

E-mail Service Configuration in ForgeRock OpenAM

In a less than 2 minute video that follows, you’ll see me setting up E-mail service in ForgeRock OpenAM, a facility that is used by OpenAM features such User Self Registration. Because I know for certain I’ll have to refer to this video on a number of occasions in future while demonstrating other capabilities of OpenAM, I’ve decided to keep this video tutorial separate and independent. It’s tiny, of course:

Enjoy!

ForgeRock OpenDJ Password Policy Part II – Subentry Based Password Policy

This post picks up from where we left last time and takes the next step to demonstrate Subentry Based Password Policy in ForgeRock OpenDJ. I owe a great detail of gratitude to the ForgeRock documentation team for this neat write up on OpenDJ Password Policy as well to Ludovic Poitou for his blog post. So in under 5 minutes time, we take our discussion on OpenDJ Password Policy to conclusion.

Enjoy!

ForgeRock OpenDJ Password Policy Part I – Server Based Password Policy

Someone asked me if I could do a video on ForgeRock OpenDJ Password Policy. Though it took me a while to get over my laziness to do one, finally I’ve the first of two part video that demonstrates the Password Policy in OpenDJ. In the first part that’s embedded below, we get to know about the System based Password Policy in OpenDJ and how to make changes to it. OpenDJ installation is covered very quickly, so if you aren’t too comfortable with the OpenDJ installation or the basic LDAP commands for that matter, I humbly suggest you take a quick look here first.

Enjoy!

Still on DSEE? Try ForgeRock OpenDJ

This post in inspired by Ludovic Poitou’s reply to a thread in the ForgeRock OpenDJ Forum around DSEE to ForgeRock OpenDJ migration. Consider this to be just a hint, and not an answer. In a video log that’s embedded just below this write up, you’ll see some clues on a couple of different methods that you could consider to move away from a product that’s now in sustaining stage to ForgeRock’s Directory Services Solution. I don’t need to mention here how important a task it is to carefully draft a plan for migration from one product to another, and I’m sure you’ll not take this video log as the only reference while doing so.

So if you’ve half an hour to spare, you’ll see in the video:
Act 1:
– A ‘Flash Back’ on DSEE installation and configuration
– Exporting the data from the DSEE instance
– Installation & Configuration of ForgeRock OpenDJ
– Importing the DSEE instance backup to ForgeRock OpenDJ
Act 2:
– Installation of ForgeRock OpenIDM
– Configuration of External LDAP Server (DSEE instance) as a Managed Resource in ForgeRock OpenIDM (using samples)
– Configuration of OpenDJ instance as a Managed Resource in ForgeRock OpenIDM (using the UI)
– Reconciliation between the DSEE instance (source) and OpenDJ instance (target)

Enjoy!

Certification in ForgeRock OpenIDM Episode I: Initial Reconciliation

If this was a book, what we have here is a prologue. Just as you don’t expect the prologue to throw a full story at you, so does this web log unveil absolutely no details around Certification in ForgeRock OpenIDM. What it does though is to setup a ‘plot’ for a possible video demonstration on Certification facility in ForgeRock’s Identity Management Solution. And that’s coming soon…

So in the video log, that’s actually a visual representation of the brilliant ForgeRock Documentation on OpenIDM, you’ll see:
– Installation of ForgeRock OpenDJ
– Configuration of OpenDJ as an external resource managed by OpenIDM (using sample files)
– Performing the initial reconciliation using REST to load users from OpenDJ to OpenIDM

Soon we’ll put all those users in action for Certification in OpenIDM. For now, just as you’d skim through the prologue of a book, take a quick look at the ~5 minute video

Baby Step in DTrace on ForgeRock OpenDJ

I’m a big fan of Brendan Gregg. The DTrace Book that he co-authored with Jim Mauro stands one of the best I’ve read in Computer Science. While I continue to take my baby steps in DTrace, I thought I’d share with you my video log on attempting to explore ForgeRock OpenDJ using the pid provider in DTrace. Brendan Gregg has published a number of blogs around the pid provider, all of which is accessible from his consolidated blog entry here. OTN has very generously published one chapter from the DTrace Book that talks of using DTrace on Applications, in which the pid provider and its use is detailed.

And with the source code of all ForgeRock Products accessible to the public for study, DTrace might just be the tool that you may want to get your hands on for some fun.

Enjoy!

Provisioning Users to PostgreSQL Database Table Using ForgeRock OpenIDM

This one is rather uncomplicated. ForgeRock OpenIDM does provisioning well, be it to a Directory Server, a Database or even to several other external resources. The following video log demonstrates exactly that. You’ll see:

– Super quick installation of ForgeRock OpenIDM
– Installation of PostgreSQL database, creation of user with super user role in PostgreSQL, creation of a database and finally creation of a table
– Configure the OpenIDM Database connector to connect to the PostgreSQL database table created in the above mentioned step
– And finally see how the users from OpenIDM are provisioned on to the PostgreSQL database table

It’s all very simple and easy to understand. So enjoy!

ForgeRock OpenAM Multi Factor Authentication Using Adaptive Risk Authentication Module & OTP

In this episode, you’ll see ForgeRock OpenAM’s two factor authentication feature employing it’s Adaptive Risk Authentication Module instance and HOTP module instance

So in the video demonstration that follows this post, you’ll see a user attempting to login against an Authentication Chain (say ‘MyAuthChain’) which has three module instances namely (i) Data Store, (ii) Adaptive Risk and (iii) HOTP. If the user is able to supply the right credentials against the Data Store, he or she is allowed in without any further challenge. On the other hand, if the the attempt to authenticate against the first Module instance (Data Store) fails, then the user is prompted for additional credentials like One Time Password.

The following illustration might give a rough idea on the what’s discussed above and the video that follows might make it pretty clear.

MultiFactorAuthentcation

Enjoy!

ForgeRock OpenIG as OAuth 2.0 Resource Server

First things first, screen-cast that follows this write up is based on the ForgeRock documentation on OpenIG that’s found here. Secondly, if you aren’t familiar with ForgeRock OpenIG or ForgeRock OpenAM, I’d recommend you to do some reading on the products from the official ForgeRock documentation or watch the following screen-casts on it to become familiarized with it:

ForgeRock OpenIG
ForgeRock OpenIG Installation
ForgeRock OpenIG: Getting Credentials from a File Data Store
ForgeRock OpenIG: Getting Credentials from a JDBC Data Store
ForgeRock OpenIG: Getting Credentials from ForgeRock OpenAM

ForgeRock OpenAM
ForgeRock OpenAM Installation & Configuration
Creating Realm in OpenAM and Setting Up OpenDJ as a Data Store
ForgeRock OpenAM Authentication With Google Account Using OAuth2
ForgeRock OpenAM High Availability Deployment
Configuring Database as OpenAM Log Type
ForgeRock OpenAM 12: Switching from XUI to Legacy UI
Adding User Profile Attribute in ForgeRock OpenAM

Cut to present, we have OpenIG acting as a resource server. So in the video log, you’ll see the curl command being used to contact OpenAM to get an Access Token, use the same command to contact OpenIG with the Access Token, which is when OpenIG (acting as a resource server), will contact OpenAM (acting as an authorization server) for validating the token. Once validated, OpenIG will apply additional filters to post the credentials to a HTTP Server and get the user profile in response to it. A one-liner definition for the mouthful of jargon I used above can be found here. The illustration below might make the long story said above slightly shorter.

OpenIGASOauth2ResourceServer

Now to the real action:

ForgeRock OpenIDM User Provisioning Workflow

ForgeRock OpenIDM, very simply put, manages the identity, not necessarily of users all the time. In a short video demonstration that follows, I’ve taken efforts to show you a very simple user provisioning workflow in OpenIDM. When an employee in an organization initiates an onboard contract, the workflow is launched and the request reaches a manager, who then pickups the request and approves (or reject) it. Consequently, the new user’s identity is provisioned on a resource.

This video demonstration owes heavily to this section of ForgeRock documentation.

What’s in the video is a simple exercise and I strongly encourage anyone interested in ForgeRock’s Identity Management solution to try it and see. Well, if you say you aren’t familiar with the OpenIDM installation, that isn’t difficult either, you can watch it here.

Enjoy!

Adding User Profile Attribute in ForgeRock OpenAM

In my earlier blog post titled Extending the ForgeRock OpenDJ Schema there was an embedded screen-cast that demonstrated how a new attribute could be added to the user profile in OpenDJ. We take one step further in this section to modify at Service in ForgeRock OpenAM to display that attribute in OpenAM Console. So if you’ve watched or if you know how to extend the OpenDJ schema to add a new user attribute, the following video log will tell you what you need to do on OpenAM to display it in the console.

Enjoy!

Accessing ForgeRock OpenDJ Administration GUI (OpenDJ Control Panel) from a Ubuntu Linux Container

You will find an entry on my blogs that talked about the installation of Linux Container and further demonstrated ForgeRock OpenDJ installation and configuration in it. In the last several days, though I posted some contents on OpenDJ, I never introduced my kind readers to the Administration GUI that the OpenDJ product comes with. That was mainly because I was struggling to get the GUI from a Linux Container. This morning I was determined more than ever before to get over this roadblock, and, boy, did manage to figure out, perhaps, one among the many ways of doing it. In the following screen-cast, you’ll see me installing VNC Server on my Linux Container (Ubuntu 14.04.2 LTS) that has OpenDJ in it and then use a VNC client from the Host OS (Ubuntu 14.10) to access the OpenDJ Control Panel, a very convenient tool to browse the OpenDJ Directory data. Very soon, you’ll see me using OpenDJ control panel for a serious reason. Thank you for your patience.

ForgeRock OpenIG: Getting Credentials from ForgeRock OpenAM

In this episode, you’ll see how ForgeRock OpenIG picks up user credentials from ForgeRock OpenAM, and gives the user access to an application. Now that’s quite a bit of information in a single line. So let’s break it down into pieces:

– A user tries to access ‘http://openig.mydomain.com:8080/replay’ url
– A Java EE OpenAM Policy Agent sitting in front of the ‘http://openig.mydomain.com:8080’ url intercepts the request from the client (user’s browser) and redirects the request to ForgeRock OpenAM (http://openam.mydomain.com:8080/openam)
– ForgeRock OpenAM will send the OpenAM Login Page back to the user
– The user supplies the credential, which the OpenAM verifies. If authentication is successful,OpenAM adds the username of the user and his/her encrypted password to the session and sends it to Java EE Policy Agent
– Java EE Policy agent validates the user’s session, gives control to OpenIG.
– Because the URL that the client requested for (http://openig.mydomain.com:8080/replay), matches a specific route (say 04-route.json) configured in OpenIG, it applies the filters in the route configuration file. The first filter will use a shared key (also known to the OpenAM) to decrypt the encrypted password sent by OpenAM. The second filter will retrieve the username and password from the exchange and replaces your browser’s original HTTP GET request with an HTTP POST login request that contains the credentials to authenticate and the third filter will remove the username and password headers before continuing to process the exchange.
– The HTTP server validates the credentials and respond back to OpenIG with user’s profile page
– OpenIG sends that response to the end user
A couple of things though: OpenAM in our setup is configured to process a ‘Password Replay’ Java Class on successful authentication. The Java EE agent in OpenAM is configured only for Single Sign On (SSO) and is configured to add the UserToken (username) and sunIdentityUserPassword (password) as session attributes in HTTP header.

The picture below may not speak thousand words, but it does speak all the words I uttered above:

OpenIGWithOpenAM

If you’re new to ForgeRock OpenIG, I recommend viewing screen-casts at the following links first:
ForgeRock OpenIG Installation & Configuration
ForgeRock OpenIG: Getting Credentials from File Data Source
ForgeRock OpenIG: Getting Credentials from JDBC Data Source

The following video would not have been possible, but with the help of ForgeRock Documentation.

Enjoy!

ForgeRock OpenIDM: Setting Up SSL With MySQL Internal Repository

If you’ve already seen the video demonstration on setting up ForgeRock OpenIDM to use a JDBC repository, you may now be interested to know how to secure the traffic from ForgeRock OpenIDM to its JDBC repository. So in the video that follows, you will see:

– Setting up SSL in MySQL database
– Configuring OpenIDM to use SSLto the MySQL database (its internal repository)
Like several other videos that I’ve already published on this blog space around ForgeRock products, this one also makes use of Ubuntu 14.10 host 0S. A Linux Container running Ubuntu 14.04.2 LTS is where we’ve our ForgeRock OpenIDM and MySQL database running. The illustration below might help you get a quick picture about the infrastructure used for the screen-cast:

OpenIDMwithSSLtoJDBC-01
Hope you’ll find the video log useful:

Thanks
MySQL Product Documentation
ForgeRock Documentation

Setting Up ForgeRock OpenAM with HTTPS on Tomcat

This post is a demo version of the ForgeRock Documentation on Setting Up OpenAM with HTTPS on Tomcat. I had earlier published a screen-cast on the ForgeRock OpenAM deployment and Configuration on a Apache Tomcat Container running in a LXC. If you haven’t watched it yet, and would like to have a look at it, it’s right here. Below you’ll find the steps that I run in my Ubuntu Linux Container to secure our OpenAM deployment:

– Create a Certificate & store it in keystore in a Linux Container
– Modify the Tomcat Server Configuration file (server.xml) to enable SSL (on port 8443)
– Deploy ForgeRock OpenAM
– Access OpenAM from the host OS and complete the configuration

If it’s hard for your visualize how the infrastructure looks like, here’s an illustration to make life easy.

OpenAMWithSSL

Now on to the action:

ForgeRock OpenDJ Replication – Enabling Encryption

This is a sequel to my earlier blog update on ForgeRock OpenDJ Replication and is largely inspired by a question raised in the ForgeRock Community Website. So if you are not very familiar with the steps involved in configuring OpenDJ Replication, I suggest you read/watch it before watching the embedded video below:

One-liner about the infrastructure used: two Linux Containers, each running an instance of ForgeRock OpenDJ is already replicating the OpenDJ data, but the replication traffic is not secure. In the video demonstration that follows, we’ll tighten the security a bit by encrypting the replication traffic as well as monitor the same using wireshark running on the host OS. Well, the diagram below indicates the end state of our screen-cast:

OpenDJReplicationEncrypted

Enjoy!

ForgeRock OpenIG: Getting Credentials From JDBC Data Source

This update could be considered a variant of an earlier post around ForgeRock OpenIG. And it’s highly recommended you watch my screen-cast on ‘OpenIG Authentication From File DataStore’ (or the blog update mentioned above) before viewing the video embedded below. As always, for making the video demonstrations that you see below, I just followed the neat instruction from the ForgeRock documentation.

An illustration below for giving you an idea of what’s in store in my 8 minute video:

OpenIGJDBCDatastore
And here’s quick explanation on what’s happening:
step (1) OpenIG intercepts your browser’s HTTP GET request. The request matches the new route configuration (“/sql”)
Step (2) The OpenIG ‘SQLAttributesFilter’ looksup credentials for ‘sholmes@example.com’ in the H2 database
step (3) The ‘SQLAttributesFilter’ stores the credentials fetched in step 2 in Exchange
step (4) The ‘StaticRequestFilter’ retrieves the credentials from Exchange, replaces the original HTTP GET request with HTTP POST login that contains the credentials to authenticate
step (5) OpenIG now sends HTTP POST to the Application (listening on port 8081)
Step (6) The application (on port 8081) validates the authentication credentials and sends the response to OpenIG
step (7) The OpenIG now sends the response to the client (which happens to be user profile)

Now sit back and enjoy the video:

ForgeRock OpenIDM REST Interface

I’ve already posted some entries around the ForgeRock OpenIDM, direct links to which are appended below in case you are interested:

ForgeRock OpenIDM Installation In a Linux Container”
ForgeRock OpenIDM Integration with ForgeRock OpenDJ
Setting up ForgeRock OpenIDM with MySQL
Configuring ForgeRock OpenIDM in a Cluster

The following video log is a very light one, partly because I haven’t done a video on REST interface around OpenIDM, but have done similiar ones for both OpenDJ and OpenAM, and partly because I’m feeling too sleepy to do a screen-cast on tougher topics. Talking of REST, in case if you haven’t seen my earlier reference to a neat and curt introduction to ForgeRock Common REST API, read it here.

Again, for those who are not familiar with REST calls to OpenIDM, the embedded video below might just give an idea of how to create a user and fetch a user profile in OpenIDM using REST.

Configuring Database as OpenAM Log Type

That the ForgeRock OpenAM audit logs are extremely important is an understatement. By default, OpenAM uses flat files as log output format, but there does exist an option to configure OpenAM to generate audit logs onto a database. And when a friend today raised a question around it, I thought I should make a screen-cast on it, which is what you would find embedded below.

A bit about the system used for the screen-cast. I’m running two Linux Containers (Ubuntu 14.04.2 LTS), one of which has OpenAM installed & configured and the other container running an instance of MySQL database. Rest of the story should be straightforward in the video.

Special Thanks: David Goldsmith

ForgeRock OpenDJ Backup And Restore

I’ll keep this one short. Below you’ll find a screen-cast on ForgeRock OpenDJ backup and restoration commands. A detailed documentation on backup and restoration in OpenDJ can be found at ForgeRock documentation site.

Other blog entries (video logs) related to OpenDJ are appended below:

ForgeRock OpenDJ Installation In a Linux Container
ForgeRock OpenIDM Integration with ForgeRock OpenDJ
Creating Realm in ForgeRock OpenAM and Configuring ForgeRock OpenDJ as a Data Store
ForgeRock OpenDJ Replication Across Linux Containers
RESTful Operations on ForgeRock OpenDJ

ForgeRock OpenAM High Availability Deployment

A video demonstration on ForgeRock OpenAM deployment as a standalone instance in a Tomcat Server was posted earlier on my blog. For a production ready environment, it is important to have multiple instances of OpenAM running in a site. In the video that’s embedded below, you’ll get to see:

– An existing deployment of ForgeRock OpenAM in a Linux Container
– Installation & Configuration of a new instance of ForgeRock OpenAM in a separate Linux Container joining an existing OpenAM deployment
– Configuration of a OpenAM site that includes two OpenAM instances as mentioned above
– Installation and Configuration of HA Proxy in a separate Linux Container
– Demonstration of load balancing by HA Proxy to the back end OpenAM Servers

A great deal of information required for doing a demonstration on OpenAM HA environment and in turn the rules to be used by the HA Proxy was picked up from Mark Craig’s blog.

The illustration below might give an idea on the infrastructure used in the video demonstration. There are three Linux Containers in a Ubuntu 14.10 host, one of which has the first instance of OpenAM, the second one has another instance of OpenAM and the third one running HA Proxy to load balance the requests to two instances of OpenAM. The client requests go to the Linux Container running HA Proxy, from where the HA Proxy redirects the requests to either one of the OpenAM instances running in two different Linux Containers.

If you’ve got some some bit of idea looking at the illustration above, I can assure you, it’ll be clearer watching the demonstration below. A word of caution though: the infrastructure used here is only for demonstration purpose, for a very serious highly available environment, you may have to consider other virtualization technologies.

Enjoy!

1 2 3 7