Active Directory Password Synchronisation and OpenIDConnect Federation using Open source Forgerock Stack - nitinprabhu/adpasswdsyncopenidconnect Wiki

Introduction

Softwares required

  1. Oracle Virtual Box Manager
  2. Windows 10(64-bit) VM created using Virtual box(You may create any windows VM which is available)
  3. Active Directory Domain Controller(Windows Server 2012)
  4. Active Directory

Steps for installation

  1. Domain Controller running on Windows Server 2012 with AD Directory service up and running.
  2. User created on Active directory(We will use this user to login into Windows machine connected to AD domain).
  3. Oracle Virtual Box Manager installed and Windows VM created(This is required so that you can use windows VM as a client which can join AD domain.You will also need this if you need to install windows server 2012 on a virtual machine).
  4. To install Windows Server 2012 using Virtual box please refer http://blogs.getcertifiedgetahead.com/windows-server-8-virtual/
  5. Set up Domain Controller on Windows server 2012 please refer http://social.technet.microsoft.com/wiki/contents/articles/12370.windows-server-2012-set-up-your-first-domain-controller-step-by-step.aspx
  6. A user created in Active Directory who can login via windows machine connected to Active Directory Domain(You can create user by logging into Windows Server and then search for "Active Directory Users and Computers" and that should popup AD browser).
  7. Connect windows client to join an AD Domain as by default it will be connected to WORKGROUP.Please refer http://www.howtogeek.com/99381/it-how-to-join-machines-to-your-active-directory-domain/
  1. Unzip OpenIDM 3.1 into a folder and configure an ldap connector to connect to OpenDJ installed in above step. Refer [https://backstage.forgerock.com/docs/openidm/3.1/integrators-guide/chap-resource-conf#ldap-connector] (https://backstage.forgerock.com/docs/openidm/3.1/integrators-guide/chap-resource-conf#ldap-connector) to configure a generic ldap connector. Configuring an ldap connector means connecting OpenIDM to OpenDJ through OpenICF Connectors.OpenIDM provides many connectors to connect to external resource. You can also set up the connector through OpenIDM Admin UI. By default OpenIDM uses OrientDB as internal repository which is not recommended for production but is good for evaluation.

  2. Create a managed user in OpenIDM through curl command.This managed user is the same user which is available in Active directory and who will be logging through windows machine connected to AD domain. In real world this user will be created by reconciling data from Active directory to OpenIDM using Active directory connector.But for evaluation we can use below curl command. curl --header "Content-Type: application/json" --header "X-OpenIDM-Username : openidm-admin" --header "X- OpenIDM-Password : openidm-admin" --request POST --data '{"userName":"nitinprabhu","accountStatus":"active","givenName":"nitin","sn":"prabhu","cn":"Nitin Prabhu","mail":"[email protected]"}' "http://localhost:8080/openidm/managed/user?_action=create"

  3. Setup mapping between OpenIDM managed/user to LDAP so that whenever password is updated in OpenIDM's internal repository it automatically gets updated in LDAP. OpenIDM Password sync agent will update internal repository whenever agent detects password change in Active Directory.Refer https://backstage.forgerock.com/docs/openidm/3.1/install-guide#more-sample2b to setup synchronisation mappings. You just need to set one way mapping i.e from managed user to LDAP(In the sample you will mapping both ways i.e from managed user to LDAP and from LDAP to managed user).

  4. Now we need to deploy Password Sync agent on the windows server.Refer https://backstage.forgerock.com/docs/openidm/3.1/integrators-guide#password-sync for details. Generate the ad-pwd-plugin-localhost.p12 cert before proceeding with the installation as you need to browse the path of the P12 cert file during installation. If you need to reinstall the agent then please make sure you delete everything under registry > HKEY_LOCAL_MACHINE > SOFTWARE > ForgeRock > OpenIDM > PasswordSync.

  5. This completes the setup for password synchronisation from AD-->OpenIDM Internal Repository(managed user)-->OpenDJ.

Testing the setup

Federation using OpenAM by authenticating against OpenDJ using AD credentials

Steps to configure OpenAM

  1. Download the latest OpenAM 13 WAR file from Forgerock backstage https://backstage.forgerock.com/downloads/OpenAM/OpenAM%20Enterprise/13.0.0/OpenAM%2013#list.
  2. Download and install Apache Tomcat 7and JDK 7+.
  3. Enable Tomcat manager roles to deploy OpenAM WAR through Tomcat UI or optionally you can deploy it manually b y placing the WAR in tomcat web apps folder.
  4. Before you deploy OpenAM WAR there are few environment changes which needs to be done. Refer https://forgerock.org/openam/doc/bootstrap/install-guide/index.html#prepare-env for details.
  5. Once the OpenAM WAR is deployed launch the application to configure OpenAM to use OpenDJ(to which AD passwords are synchronised) as backend for authentication.Refer https://forgerock.org/openam/doc/bootstrap/install-guide/index.html#configure-openam-custom for details.
  6. Now you can login into OpenAM using AD credentials.

Configuring OpenID Connect client in OpenAM

Hope this information is useful.