ForgeRock - dennisholee/notes GitHub Wiki
Authentication session
Session storage location options:
- Server side - Core Token Service (CTS) token store
- Client side - JWT
- In-Memory
https://openam.forest.io:8443/openam/XUI/?realm=worksite&service=myCredentialLogin#login/
Open AM 7.2
Global Setting: Configure -> Global Service -> User Self-Service -> User Registration -> Enable
Realm Setting: {Realm} -> Services -> Add a Service -> User Self-Service -> User Registration -> User registration -> Enable
Following exercise was conducted on Google Cloud Platform
| Software | Version |
|---|---|
| OpenAM | 6.5.2 |
| Tomcat | 9.0.22 |
| Amster | 6.5.2 |
resource "google_compute_instance" "bastion" {
name = "bastion-host"
zone = "europe-west2-a"
machine_type = "n1-standard-1"
tags = ["fw-bastion"]
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
subnetwork = "${var.my-vpc-dmz}"
access_config {
}
}
metadata_startup_script = "sudo apt-get update; sudo apt-get -y install unzip openjdk-11-jdk; wget http://apache.01link.hk/tomcat/tomcat-9/v9.0.22/bin/apache-tomcat-9.0.22.tar.gz; tar xzf apache-tomcat-9.0.22.tar.gz; sudo mv apache-tomcat-9.0.22 /usr/local/apache-tomcat9; echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64' >> ~/.bashrc; echo 'export CATALINA_HOME=/usr/local/apache-tomcat9' >> ~/.bashrc;echo export JAVA_OPT=${JAVA_OPT} -Xms 2048m -Xmx 2048m > /usr/local/apache-tomcat9/bin/setenv.sh;"
service_account {
scopes = ["cloud-platform"]
}
}
./amsterinstall-openam --serverUrl http://openam.local:8080/AM-6.5.2 --adminPwd password --acceptLicense
connect -i http://openam.local:8080/AM-6.5.2
create Realms --global --body "{ \"name\" : \"SMEP\", \"active\" : true, \"parentPath\" : \"\/\", \"aliases\" : [\"smep.local\"] }"To verify
query Realms --globalOutput
===> [
{
"name": "/",
"active": true,
"aliases": [
"openam",
"openam.internal"
],
"_rev": "1848604971",
"_id": "Lw"
},
{
"name": "SMEP",
"active": true,
"parentPath": "/",
"aliases": [
"smep.local"
],
"_rev": "1128333176",
"_id": "L1NNRVA"
}
]
https://backstage.forgerock.com/docs/amster/6.5/entity-reference/#sec-amster-entity-userselfservice
create UserSelfService --realm SMEP --body "{ \"generalConfig\" : { \"signingSecretKeyAlias\" : \"selfservicesigntest\", \"encryptionKeyPairAlias\" : \"selfserviceenctest\" }, \"userRegistration\" : { \"userRegistrationEnabled\" : true, \"userRegisteredDestination\" : \"default\", \"userRegistrationEmailVerificationEnabled\" : false } }"Output
===> {
"generalConfig": {
"encryptionKeyPairAlias": "selfserviceenctest",
"signingSecretKeyAlias": "selfservicesigntest",
"captchaVerificationUrl": "https://www.google.com/recaptcha/api/siteverify",
"kbaQuestions": [
"4|en|What is your mother's maiden name?",
"3|en|What was the name of your childhood pet?",
"2|en|What was the model of your first car?",
"1|en|What is the name of your favourite restaurant?"
],
"minimumAnswersToDefine": 1,
"minimumAnswersToVerify": 1,
"validQueryAttributes": [
"uid",
"mail",
"givenName",
"sn"
]
},
"userRegistration": {
"userRegistrationEnabled": true,
"userRegistrationCaptchaEnabled": false,
"userRegistrationEmailVerificationEnabled": false,
"userRegistrationEmailVerificationFirstEnabled": false,
"userRegistrationKbaEnabled": false,
"userRegistrationTokenTTL": 300,
"userRegistrationEmailSubject": [
"en|Registration email"
],
"userRegistrationEmailBody": [
"en|<h2>Click on this <a href=\"%link%\">link</a> to register.</h2>"
],
"userRegistrationValidUserAttributes": [
"userPassword",
"mail",
"kbaInfo",
"givenName",
"inetUserStatus",
"sn",
"username"
],
"userRegisteredDestination": "default"
},
"forgottenPassword": {
"forgottenPasswordEnabled": false,
"forgottenPasswordCaptchaEnabled": false,
"forgottenPasswordEmailVerificationEnabled": true,
"forgottenPasswordKbaEnabled": false,
"numberOfAttemptsEnforced": false,
"numberOfAllowedAttempts": 1,
"forgottenPasswordTokenTTL": 300,
"forgottenPasswordEmailSubject": [
"en|Forgotten password email"
],
"forgottenPasswordEmailBody": [
"en|<h2>Click on this <a href=\"%link%\">link</a> to reset your password.</h2>"
]
},
"forgottenUsername": {
"forgottenUsernameEnabled": false,
"forgottenUsernameCaptchaEnabled": false,
"forgottenUsernameKbaEnabled": false,
"forgottenUsernameEmailUsernameEnabled": true,
"forgottenUsernameShowUsernameEnabled": false,
"forgottenUsernameTokenTTL": 300,
"forgottenUsernameEmailSubject": [
"en|Forgotten username email"
],
"forgottenUsernameEmailBody": [
"en|<h2>Your username is <span style=\"color:blue\">%username%</span>.</h2>"
]
},
"profileManagement": {
"profileProtectedUserAttributes": [
]
},
"advancedConfig": {
"userRegistrationConfirmationUrl": "http://openam.internal:8080/AM-6.5.2/XUI/?realm=${realm}#register/",
"forgottenPasswordConfirmationUrl": "http://openam.internal:8080/AM-6.5.2/XUI/?realm=${realm}#passwordReset/",
"userRegistrationServiceConfigClass": "org.forgerock.openam.selfservice.config.flows.UserRegistrationConfigProvider",
"forgottenPasswordServiceConfigClass": "org.forgerock.openam.selfservice.config.flows.ForgottenPasswordConfigProvider",
"forgottenUsernameServiceConfigClass": "org.forgerock.openam.selfservice.config.flows.ForgottenUsernameConfigProvider"
},
"_rev": "-787143084",
"_type": {
"_id": "selfService",
"name": "User Self-Service",
"collection": false
},
"_id": ""
}
curl \
--header "Accept-API-Version: resource=1.0, protocol=1.0" \
http://openam.internal:8080/AM-6.5.2/json/realms/SMEP/selfservice/userRegistrationOutput
{"type":"userDetails","tag":"initial","requirements":{"$schema":"http://json-schema.org/draft-04/schema#","description":"New user details","type":"object","required":["user"],"properties":{"user":{"description":"User details","type":"object"}}}}
curl \
--header "Accept-API-Version: resource=1.0, protocol=1.0" \
--request POST \
--header "Content-Type: application/json" \
--data \
'{
"input": {
"user": {
"username": "dennislee",
"givenName": "Dennis Lee",
"sn": "User",
"mail":"[email protected]",
"userPassword": "forgerock",
"inetUserStatus": "Active"
}
}
}' \
http://openam.internal:8080/AM-6.5.2/json/realms/SMEP/selfservice/userRegistration?_action=submitRequirementsOutput
{"type":"activityAuditStage","tag":"end","status":{"success":true},"additions":{}}
Verify user is created successfully
ldapsearch -h openam.internal -p 50389 -D "cn=Directory Manager" -b "dc=openam,dc=forgerock,dc=org" "(uid=*)" -w password
Output
dn: uid=demo,ou=people,dc=openam,dc=forgerock,dc=org
objectclass: iplanet-am-managed-person
objectclass: inetuser
objectclass: sunFederationManagerDataStore
objectclass: sunFMSAML2NameIdentifier
objectclass: inetorgperson
objectclass: sunIdentityServerLibertyPPService
objectclass: devicePrintProfilesContainer
objectclass: iplanet-am-user-service
objectclass: iPlanetPreferences
objectclass: pushDeviceProfilesContainer
objectclass: forgerock-am-dashboard-service
objectclass: organizationalperson
objectclass: top
objectclass: kbaInfoContainer
objectclass: person
objectclass: sunAMAuthAccountLockout
objectclass: oathDeviceProfilesContainer
objectclass: webauthnDeviceProfilesContainer
objectclass: iplanet-am-auth-configuration-service
cn: demo
inetuserstatus: Active
sn: demo
uid: demo
userpassword:: e1NTSEE1MTJ9YzVZY2FuZlVNb09WSTcwa29vV2ZBNHhGaXhLVmRJZDFmNGxZVU4
za1JDS1Vvc2JqVlppVG1tVkg4YnI5NmFPdTB5L0g0bW94dWE5bGNvODFpVmZRSXI5dndVZVl2WEc3
dn: uid=dennislee,ou=people,dc=openam,dc=forgerock,dc=org
objectclass: iplanet-am-managed-person
objectclass: inetuser
objectclass: sunFederationManagerDataStore
objectclass: sunFMSAML2NameIdentifier
objectclass: inetorgperson
objectclass: sunIdentityServerLibertyPPService
objectclass: devicePrintProfilesContainer
objectclass: iplanet-am-user-service
objectclass: iPlanetPreferences
objectclass: pushDeviceProfilesContainer
objectclass: forgerock-am-dashboard-service
objectclass: organizationalperson
objectclass: top
objectclass: kbaInfoContainer
objectclass: person
objectclass: sunAMAuthAccountLockout
objectclass: oathDeviceProfilesContainer
objectclass: webauthnDeviceProfilesContainer
objectclass: iplanet-am-auth-configuration-service
cn: dennislee
givenName: Dennis Lee
inetuserstatus: Active
mail: [email protected]
sn: User
uid: dennislee
userpassword:: e1NTSEE1MTJ9U1lUSjdZMmxFNFdTVHVDQTF5aHN6Wkdva3kraFlaSUxwcEFsSjJ
6RmkrM3FqcnZkWklVc0dSKzRuQnNEOEpDWmlZUC8waDNRTFdSdUx6TTBYS0lsR3p2Rjc1K3hUcVhW
query OpenDJ --realm SMEP --filter trueOutput
===> [
{
"ldapsettings": {
"sun-idrepo-ldapv3-config-ldap-server": [
"localhost:50389",
"localhost:50389|01"
],
"sun-idrepo-ldapv3-config-authid": "cn=Directory Manager",
"openam-idrepo-ldapv3-proxied-auth-enabled": false,
"sun-idrepo-ldapv3-config-organization_name": "dc=openam,dc=forgerock,dc=org",
"sun-idrepo-ldapv3-config-connection-mode": "LDAP",
"sun-idrepo-ldapv3-config-connection_pool_min_size": 1,
"sun-idrepo-ldapv3-config-connection_pool_max_size": 10,
"openam-idrepo-ldapv3-heartbeat-interval": 10,
"openam-idrepo-ldapv3-heartbeat-timeunit": "SECONDS",
"sun-idrepo-ldapv3-config-max-result": 1000,
"sun-idrepo-ldapv3-config-time-limit": 10,
"sun-idrepo-ldapv3-config-search-scope": "SCOPE_SUB",
"openam-idrepo-ldapv3-behera-support-enabled": true,
"openam-idrepo-ldapv3-contains-iot-identities-enriched-as-oauth2client": false
},
"pluginconfig": {
"sunIdRepoClass": "org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo",
"sunIdRepoAttributeMapping": [
],
"sunIdRepoSupportedOperations": [
"realm=read,create,edit,delete,service",
"user=read,create,edit,delete,service",
"group=read,create,edit,delete"
]
},
"userconfig": {
"sun-idrepo-ldapv3-config-users-search-attribute": "uid",
"sun-idrepo-ldapv3-config-users-search-filter": "(objectclass=inetorgperson)",
"sun-idrepo-ldapv3-config-user-objectclass": [
"iplanet-am-managed-person",
"inetuser",
"sunFederationManagerDataStore",
"sunFMSAML2NameIdentifier",
"inetorgperson",
"sunIdentityServerLibertyPPService",
"devicePrintProfilesContainer",
"iplanet-am-user-service",
"iPlanetPreferences",
"pushDeviceProfilesContainer",
"forgerock-am-dashboard-service",
"organizationalperson",
"top",
"kbaInfoContainer",
"person",
"sunAMAuthAccountLockout",
"oathDeviceProfilesContainer",
"webauthnDeviceProfilesContainer",
"iplanet-am-auth-configuration-service"
],
"sun-idrepo-ldapv3-config-user-attributes": [
"sunIdentityServerPPLegalIdentityLegalName",
"sunIdentityServerPPSignKey",
"iplanet-am-auth-configuration",
"iplanet-am-user-alias-list",
"iplanet-am-user-password-reset-question-answer",
"mail",
"assignedDashboard",
"authorityRevocationList",
"dn",
"sunIdentityServerDiscoEntries",
"sunIdentityServerPPCommonNameFN",
"iplanet-am-user-password-reset-options",
"sunIdentityServerPPLegalIdentityVATIdValue",
"employeeNumber",
"sunIdentityServerPPEmergencyContact",
"createTimestamp",
"kbaActiveIndex",
"sunIdentityServerPPAddressCard",
"sunIdentityServerPPLegalIdentityVATIdType",
"sunIdentityServerPPDemographicsTimeZone",
"caCertificate",
"iplanet-am-session-quota-limit",
"iplanet-am-user-auth-config",
"sunIdentityServerPPCommonNameSN",
"sun-fm-saml2-nameid-infokey",
"sunIdentityMSISDNNumber",
"iplanet-am-user-password-reset-force-reset",
"sunAMAuthInvalidAttemptsData",
"devicePrintProfiles",
"sunIdentityServerPPLegalIdentityMaritalStatus",
"iplanet-am-user-federation-info-key",
"givenName",
"iplanet-am-session-get-valid-sessions",
"objectClass",
"adminRole",
"sunIdentityServerPPEncryPTKey",
"sunIdentityServerPPCommonNameCN",
"sunIdentityServerPPInformalName",
"sunIdentityServerPPLegalIdentityAltIdValue",
"inetUserHttpURL",
"iplanet-am-user-account-life",
"postalAddress",
"userCertificate",
"preferredtimezone",
"iplanet-am-user-admin-start-dn",
"oath2faEnabled",
"preferredlanguage",
"sunIdentityServerPPFacadeWebSite",
"sun-fm-saml2-nameid-info",
"sunIdentityServerPPFacadeNamePronounced",
"sunIdentityServerPPDemographicsBirthDay",
"userPassword",
"iplanet-am-session-service-status",
"telephoneNumber",
"sunIdentityServerPPDemographicsDisplayLanguage",
"iplanet-am-session-max-idle-time",
"sunIdentityServerPPCommonNamePT",
"distinguishedName",
"iplanet-am-session-destroy-sessions",
"kbaInfoAttempts",
"modifyTimestamp",
"uid",
"iplanet-am-user-success-url",
"iplanet-am-user-auth-modules",
"sunIdentityServerPPEmploymentIdentityOrg",
"kbaInfo",
"memberOf",
"sn",
"sunIdentityServerPPEmploymentIdentityAltO",
"preferredLocale",
"sunIdentityServerPPMsgContact",
"manager",
"iplanet-am-user-federation-info",
"iplanet-am-session-max-session-time",
"sunIdentityServerPPCommonNameMN",
"sunIdentityServerPPLegalIdentityGender",
"sunIdentityServerPPCommonNameAltCN",
"cn",
"sunIdentityServerPPLegalIdentityAltIdType",
"sunIdentityServerPPDemographicsAge",
"sunIdentityServerPPFacadegreetmesound",
"oathDeviceProfiles",
"webauthnDeviceProfiles",
"iplanet-am-user-login-status",
"sunIdentityServerPPEmploymentIdentityJobTitle",
"sunIdentityServerPPFacadeMugShot",
"sunIdentityServerPPLegalIdentityDOB",
"pushDeviceProfiles",
"push2faEnabled",
"inetUserStatus",
"sunIdentityServerPPFacadeGreetSound",
"sunIdentityServerPPDemographicsLanguage",
"iplanet-am-user-failure-url",
"iplanet-am-session-max-caching-time"
],
"sun-idrepo-ldapv3-config-createuser-attr-mapping": [
"cn",
"sn"
],
"sun-idrepo-ldapv3-config-isactive": "inetuserstatus",
"sun-idrepo-ldapv3-config-active": "Active",
"sun-idrepo-ldapv3-config-inactive": "Inactive",
"sun-idrepo-ldapv3-config-people-container-name": "ou",
"sun-idrepo-ldapv3-config-people-container-value": "people",
"sun-idrepo-ldapv3-config-auth-kba-attr": [
"kbaInfo"
],
"sun-idrepo-ldapv3-config-auth-kba-index-attr": "kbaActiveIndex",
"sun-idrepo-ldapv3-config-auth-kba-attempts-attr": [
"kbaInfoAttempts"
]
},
"authentication": {
"sun-idrepo-ldapv3-config-auth-naming-attr": "uid"
},
"groupconfig": {
"sun-idrepo-ldapv3-config-groups-search-attribute": "cn",
"sun-idrepo-ldapv3-config-groups-search-filter": "(objectclass=groupOfUniqueNames)",
"sun-idrepo-ldapv3-config-group-container-name": "ou",
"sun-idrepo-ldapv3-config-group-container-value": "groups",
"sun-idrepo-ldapv3-config-group-objectclass": [
"top",
"groupofuniquenames"
],
"sun-idrepo-ldapv3-config-group-attributes": [
"dn",
"cn",
"uniqueMember",
"objectclass"
],
"sun-idrepo-ldapv3-config-uniquemember": "uniqueMember",
"sun-idrepo-ldapv3-config-memberurl": "memberUrl"
},
"persistentsearch": {
"sun-idrepo-ldapv3-config-psearchbase": "dc=openam,dc=forgerock,dc=org",
"sun-idrepo-ldapv3-config-psearch-filter": "(&(!(objectclass=frCoreToken))(!(ou:dn:=services))(!(ou:dn:=tokens)))",
"sun-idrepo-ldapv3-config-psearch-scope": "SCOPE_SUB"
},
"errorhandling": {
"com.iplanet.am.ldap.connection.delay.between.retries": 1000
},
"cachecontrol": {
"sun-idrepo-ldapv3-dncache-enabled": true,
"sun-idrepo-ldapv3-dncache-size": 1500
},
"_rev": "1150387712",
"_type": {
"_id": "LDAPv3ForOpenDS",
"name": "OpenDJ",
"collection": true
},
"_id": "embedded"
}
]
create OAuth2Clients --realm SMEP --id id --body "..."Replace to body content with the following extract (escaped characters needed):
Body content
{
"coreOAuth2ClientConfig" : {
"userpassword" : "",
"redirectionUris": {
"inherited" : true,
"value": []
},
"status": {
"inherited" : true,
"value": "true"
},
"refreshTokenLifetime": {
"inherited" : true,
"value": 1800,
},
"clientType" : {
"inherited" : true,
"value" : "Confidential"
},
"scopes" : {
"inherited" : true,
"value" : ["profile", "OIDC"]
}
},
"advancedOAuth2ClientConfig" : {
"tokenEndpointAuthMethod" : {
"inherited" : true,
"value" : ""
},
"grantTypes": {
"inherited" : true,
"value" : ["AUTHORIZATION_CODE", ""]
},
"responseTypes": {
"inherited" : true,
"value" : ["", ""]
}
},
"signEncOAuth2ClientConfig": {
"tokenEndpointAuthSigningAlgorithm": {
"inherited" : true,
"value" : ""
},
"userinfoResponseFormat": {
"inherited" : true,
"value" : ""
},
"clientJwtPublicKey": {
"inherited" : true,
"value" : ""
}
}
}