Active Directory Password Synchronisation and OpenIDConnect Federation using Open source Forgerock Stack - nitinprabhu/adpasswdsyncopenidconnect GitHub Wiki

Introduction

• This project will outlines how we can synchronise password changes from Active Directory to LDAP and then federate using OpenIDConnect client based on Forgerock product stack.

Softwares required

• We will be using below Forgerock Products(You need to create an account on Forgerock backstage site to download below products)

  1. [Active Directory Password Sync Plugin 1.1.0] (https://backstage.forgerock.com/downloads/OpenIDM/Password%20Sync%20Plugins/1.1.0/Active%20Directory%20Password%20Sync%20Plugin#list) -->Password sync plugin captures password changes in plain text before it is hashed in AD and sends it to OpenIDM over encrypted channel.
  2. OpenIDM 3.1 -->OpenIDM is synchronisation engine which synchronises data(including passwords) to external resources such as LDAP,database etc.
  3. OpenDJ 3.0-->LDAP Directory server which is forked from OpenLDAP.
  4. OpenAM 13.0 WAR-->OpenAM is access management which provides federation services and also acts like a Identity provider connecting to a custom backend such as OpenDJ for authenticating users.

• You will also need below softwares to test the flow

1. Oracle Virtual Box Manager
2. Windows 10(64-bit) VM created using Virtual box(You may create any windows VM which is available)
3. Active Directory Domain Controller(Windows Server 2012)
4. Active Directory

Steps for installation

• Below steps needs to be completed before we proceed with deploying password sync agent.

1. Domain Controller running on Windows Server 2012 with AD Directory service up and running.
2. User created on Active directory(We will use this user to login into Windows machine connected to AD domain).
3. Oracle Virtual Box Manager installed and Windows VM created(This is required so that you can use windows VM as a client which can join AD domain.You will also need this if you need to install windows server 2012 on a virtual machine).
4. To install Windows Server 2012 using Virtual box please refer http://blogs.getcertifiedgetahead.com/windows-server-8-virtual/
5. Set up Domain Controller on Windows server 2012 please refer http://social.technet.microsoft.com/wiki/contents/articles/12370.windows-server-2012-set-up-your-first-domain-controller-step-by-step.aspx
6. A user created in Active Directory who can login via windows machine connected to Active Directory Domain(You can create user by logging into Windows Server and then search for "Active Directory Users and Computers" and that should popup AD browser).
7. Connect windows client to join an AD Domain as by default it will be connected to WORKGROUP.Please refer http://www.howtogeek.com/99381/it-how-to-join-machines-to-your-active-directory-domain/

• Once you above prerequisite softwares installed we will need to follow below steps to configure password sync (AD --> OpenIDM --->OpenDJ) and then federate using OpenAM to use AD credentials(OpenID Connect Client --> OpenAM -->OpenDJ).
  1. Install OpenDJ with LDAPS enabled.Refer forgerock docs for details https://backstage.forgerock.com/docs/opendj/3/install-guide#chap-install. During installation choose the option create a base DN and also choose the option to create the base entry(Do not select the option to leave the database empty)

2. Unzip OpenIDM 3.1 into a folder and configure an ldap connector to connect to OpenDJ installed in above step. Refer [https://backstage.forgerock.com/docs/openidm/3.1/integrators-guide/chap-resource-conf#ldap-connector] (https://backstage.forgerock.com/docs/openidm/3.1/integrators-guide/chap-resource-conf#ldap-connector) to configure a generic ldap connector. Configuring an ldap connector means connecting OpenIDM to OpenDJ through OpenICF Connectors.OpenIDM provides many connectors to connect to external resource. You can also set up the connector through OpenIDM Admin UI. By default OpenIDM uses OrientDB as internal repository which is not recommended for production but is good for evaluation.

3. Create a managed user in OpenIDM through curl command.This managed user is the same user which is available in Active directory and who will be logging through windows machine connected to AD domain. In real world this user will be created by reconciling data from Active directory to OpenIDM using Active directory connector.But for evaluation we can use below curl command. curl --header "Content-Type: application/json" --header "X-OpenIDM-Username : openidm-admin" --header "X- OpenIDM-Password : openidm-admin" --request POST --data '{"userName":"nitinprabhu","accountStatus":"active","givenName":"nitin","sn":"prabhu","cn":"Nitin Prabhu","mail":"[email protected]"}' "http://localhost:8080/openidm/managed/user?_action=create"

4. Setup mapping between OpenIDM managed/user to LDAP so that whenever password is updated in OpenIDM's internal repository it automatically gets updated in LDAP. OpenIDM Password sync agent will update internal repository whenever agent detects password change in Active Directory.Refer https://backstage.forgerock.com/docs/openidm/3.1/install-guide#more-sample2b to setup synchronisation mappings. You just need to set one way mapping i.e from managed user to LDAP(In the sample you will mapping both ways i.e from managed user to LDAP and from LDAP to managed user).

5. Now we need to deploy Password Sync agent on the windows server.Refer https://backstage.forgerock.com/docs/openidm/3.1/integrators-guide#password-sync for details. Generate the ad-pwd-plugin-localhost.p12 cert before proceeding with the installation as you need to browse the path of the P12 cert file during installation. If you need to reinstall the agent then please make sure you delete everything under registry > HKEY_LOCAL_MACHINE > SOFTWARE > ForgeRock > OpenIDM > PasswordSync.

6. This completes the setup for password synchronisation from AD-->OpenIDM Internal Repository(managed user)-->OpenDJ.

Testing the setup

• Once all the steps are completed change the password of windows machine connected to AD domain and that should sync password in OpenDJ.
• Check Password sync agent logs(logs location would be specified during agent installation) and you should see a POST request made to OpenIDM with the Success status.
• In case you are getting a BadPaddingException/Decryption error then this means there is a problem with certificate installation.You need to regenerate and re import the P12 certs on OpenIDM truststore and also deploy the agent again with the new certs.You need to delete the registry keys and also openidm's internal repository(delete everything under /path/to/openidm/db/openidm/*).

Federation using OpenAM by authenticating against OpenDJ using AD credentials

• We will be authenticating users against OpenDJ to which passwords are synchronised using OpenAM and the redirect users once authenticated.
• For evaluation purposes we will be just deploying the OpenAM WAR in Apache tomcat and not deploy any agents or configure the user interface.

Steps to configure OpenAM

1. Download the latest OpenAM 13 WAR file from Forgerock backstage https://backstage.forgerock.com/downloads/OpenAM/OpenAM%20Enterprise/13.0.0/OpenAM%2013#list.
2. Download and install Apache Tomcat 7and JDK 7+.
3. Enable Tomcat manager roles to deploy OpenAM WAR through Tomcat UI or optionally you can deploy it manually b y placing the WAR in tomcat web apps folder.
4. Before you deploy OpenAM WAR there are few environment changes which needs to be done. Refer https://forgerock.org/openam/doc/bootstrap/install-guide/index.html#prepare-env for details.
5. Once the OpenAM WAR is deployed launch the application to configure OpenAM to use OpenDJ(to which AD passwords are synchronised) as backend for authentication.Refer https://forgerock.org/openam/doc/bootstrap/install-guide/index.html#configure-openam-custom for details.
6. Now you can login into OpenAM using AD credentials.

Configuring OpenID Connect client in OpenAM

• Refer [https://wikis.forgerock.org/confluence/display/openam/OpenID+Connect+Quick+Start] (https://wikis.forgerock.org/confluence/display/openam/OpenID+Connect+Quick+Start) to configure OpenID Connect client.
• Finally Windows user can now access other applications through OpenID Connect Client using windows credentials.

Hope this information is useful.