Deployment Tasks

Autonomous Identity administrators and deployers must set up additional tasks during installment.

The following are some deployments tasks that may occur:

Customize the Domain and Namespace

By default, the Autonomous Identity URL and domain for the UI console is set to autoid-ui.forgerock.com, and the URL and domain for the self-service feature is autoid-selfservice.forgerock.com.

Customize domain and namespace:
  1. Customize the domain name and target environment by editing the /autoid-config/vars.xml file. By default, the domain name is set to forgerock.com and the target environment is set to autoid. The default Autonomous Identity URL will be: https://autoid-ui.forgerock.com. For example, we set the domain name to abc.com and the target environment to myid:

    domain_name: forgerock.com
    target_environment: autoid
  2. If you set up your domain name and target environment in the previous step, you need to change the certificates to reflect the changes. Autonomous Identity generates self-signed certificates for its default configuration. You must generate new certificates as follows:

    1. Generate the private key (that is, privatekey.pem).

      $ openssl genrsa 2048 > privatekey.pem
    2. Generate the certificate signing request.

      $ openssl req -new -key privatekey.pem -out csr.pem
    3. Generate the Diffie-Hellman (DH) parameters file (dhparam4096.pem).

      $ openssl dhparam -out dhparam4096.pem 4096
    4. Create a self-signing certificate.

      $ openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out server.crt
    5. Use your Certificate Authority (CA) to sign the certificate. The certificate must be server.crt.

    6. Copy the files to the /autoid-config/certs directory.

    7. Make the domain changes on your DNS server or update your /etc/hosts (Linux/Unix) file or C:\Windows\System32\drivers\etc\hosts (Windows) locally on your machine.

Configuring Your Filters

The filters on the Applications pages let you focus your searches based on entitlement and user attributes. In most cases, the default filters should suffice for most environments. However, if you need to customize the filters, you can do so by accessing the configuration service API endpoint as show below.

The default filters for an entitlement are the following:

  • Risk Level

  • Criticality

The default filters for an user attributes are the following:

  • User Department Name

  • Line of Business Subgroup

  • City

  • Jobcode Name

  • User Employee Type

  • Chief Yes No

  • Manager Name

  • Line of Business

  • Cost Center

Configure the Filters:
  1. From the deployer node, SSH to the target node.

  2. Run the curl command to retrieve the current filters configuration.

    $ curl -i -k -u configadmin:<configadmin-password> --header "Content-Type: application/json" --request GET
      https://autoid-configuration-service.forgerock.com/api/configuration/AllowedAttributesForFiltering
    
    {
      "entitlement": [
        "risk_level",
        "criticality",
        "owner"
      ],
      "user": [
        "usr_department_name",
        "line_of_business_subgroup",
        "city",
        "jobcode_name",
        "usr_emp_type",
        "chief_yes_no",
        "manager_name",
        "line_of_business",
        "cost_center"
      ]
    }
  3. Update the filters configuration. The syntax is as follows:

    $ curl -i -k -u configadmin:<configadmin-password> \
          --request PUT \
          --header "Content-Type: application/json" \
          --data '{<UPDATED_FILTERING_JSON_DATA>}' \
        https://autoid-configuration-service.forgerock.com/api/configuration/AllowedAttributesForFiltering

    For example, update the filters list with fewer attributes:

    $ curl -i -k -u configadmin:<configadmin-password> \
          --request PUT \
          --header "Content-Type: application/json"
          --data '{ "entitlement":["risk_level","criticality","owner"], \
            "user":["usr_department_name","line_of_business_subgroup","city","jobcode_name"]}' \
        https://autoid-configuration-service.forgerock.com/api/configuration/AllowedAttributesForFiltering
    
    configuration item updated

Change the Vault Passwords

Autonomous Identity uses the ansible vault to store passwords in encrypted files, rather than in plaintext. Autonomous Identity stores the vault file at /autoid-config/vault.yml saves the encrypted passwords to /config/.autoid_vault_password . The /config/ mount is internal to the deployer container. The default encryption algorithm used is AES256.

By default, the /autoid-config/vault.yml file uses the following parameters:

configuration_service_vault:
  basic_auth_password: Welcome123

openldap_vault:
  openldap_password: Welcome123

cassandra_vault:
  cassandra_password: Welcome123
  cassandra_admin_password: Welcome123

mongo_vault:
  mongo_admin_password: Welcome123
  mongo_root_password: Welcome123

elastic_vault:
  elastic_admin_password: Welcome123
  elasticsearch_password: Welcome123

Assume that the vault file is encrypted during the installation. To edit the file:

Edit the Vault file:
  1. Change to the /autoid-config/ directory.

    $ cd ~/autoid-config/
  2. First, decrypt the vault file.

    $ ./deployer.sh decrypt-vault
  3. Open a text editor and edit the vault.yml file.

  4. Encrypt the file again.

    $ ./deployer.sh encrypt-vault

Set Up Single Sign-On

Autonomous Identity supports single sign-on (SSO) using OpenID Connect (OIDC) JWT tokens. SSO lets you log in once and access multiple applications without the need to re-authenticate yourself. You can use any third-party identity provider (IdP) to connect to Autonomous Identity. In this example, we use ForgeRock Access Management (AM) as an OpenID Connect (OIDC) IdP for Autonomous Identity.

If you set up SSO-only, be aware that the following services are not deployed with this setting:

  • Self Service

  • Manage Identities

If you want to use these services and SSO, set up the authentication as "LocalAndSSO". Otherwise, for SSO-only, you must use the user services provided by your SSO provider.

The following procedure requires a running instance of ForgeRock AM. For more information, see ForgeRock Access Management Quick Start Guide.

Set up SSO:
  1. First, set up your hostnames locally in /etc/hosts (Linux/Unix) file or [path]``C:\Windows\System32\drivers\etc\hosts'' (Windows).

    35.189.75.99  autoid-ui.forgerock.com autoid-selfservice.forgerock.com
    35.246.65.234 openam.example.com
  2. Open a browser and point to http://openam.example.com:8080/openam. Log in with username: amadmin, password: cangetinam.

  3. On AM, go to Identities > Groups, and add the following groups:

    • AutoIdAdmin

    • AutoIdEntitlementOwner

    • AutoIdExecutive

    • AutoIdSupervisor

    • AutoIdUser

  4. Add the demo user to each group.

  5. Go back to the main AM Admin UI page. Click Configure OAuth Provider.

  6. Click Configure OpenID Connect, and then Create.

  7. Go to Applications > OAuth 2.0, and then click Add Client. Enter the following properties, specific to your deployment:

    Client ID:         <autoid>
    Client secret:     <password>
    Redirection URIs:  https://<autoi-ui>.<domain>/api/sso/finish
    Scope(s):          openid profile

    For example:

    Client ID:         autoid
    Client secret:     Welcome123
    Redirection URIs:  https://autoid-ui.forgerock.com/api/sso/finish
    Scope(s):          openid profile
  8. On the New Client page, go to to the Advanced tab, and enable Implied Consent. Next, change the Token Endpoint Authentication Method to client_secret_post.

  9. Edit the OIDC claims script to return roles (groups), so that AM can match the Autonomous Identity groups.

    "groups": { claim, identity -> [ "groups" : identity.getMemberships(IdType.GROUP).collect { group -> group.name }]}

    For more information about the OIDC claims script, see the ForgeRock Knowledge Base.

  10. The id_token returns the content that includes the group names.

    {
      "at_hash": "QJRGiQgr1c1sOE4Q8BNyyg",
      "sub": "demo",
      "auditTrackingId": "59b6524d-8971-46da-9102-704694cae9bc-48738",
      "iss": "http://openam.example.com:8080/openam/oauth2",
      "tokenName": "id_token",
      "groups": [
        "AutoIdAdmin",
        "AutoIdSupervisor",
        "AutoIdUser",
        "AutoIdExecutive",
        "AutoIdEntitlementOwner"
      ],
      "given_name": "demo",
      "aud": "autoid",
      "c_hash": "SoLsfc3zjGq9xF5mJG_C9w",
      "acr": "0",
      "org.forgerock.openidconnect.ops": "B15A_wXm581fO8INtYHHcwSQtJI",
      "s_hash": "bOhtX8F73IMjSPeVAqxyTQ",
      "azp": "autoid",
      "auth_time": 1592390726,
      "name": "demo",
      "realm": "/",
      "exp": 1592394729,
      "tokenType": "JWTToken",
      "family_name": "demo",
      "iat": 1592391129,
      "email": "demo@example.com"
    }
  11. You have successfully configured AM as an OIDC provider. Next, we set up Autonomous Identity.

  12. Change to the Autonomous Identity install directory on the deployer machine.

    $ cd ~/autoid-config/
  13. Open a text editor, and set the SSO parameters in the /autoid-config/vars.yml file. Make sure to change LDAP to SSO.

    authentication_option: "SSO"
    
    oidc_issuer: "http://openam.example.com:8080/openam/oauth2"
    oidc_auth_url: "http://openam.example.com:8080/openam/oauth2/authorize"
    oidc_token_url: "http://openam.example.com:8080/openam/oauth2/access_token"
    oidc_user_info_url: "http://openam.example.com:8080/openam/oauth2/userinfo"
    oidc_jwks_url: "http://openam.example.com:8080/openam/oauth2/connect/jwk_uri"
    oidc_callback_url: "https://autoid-ui.forgerock.com/api/sso/finish"
    oidc_client_scope: 'openid profile'
    oidc_groups_attribute: groups
    oidc_uid_attribute: sub
    oidc_client_id: autoid
    oidc_client_secret: Welcome1
    admin_object_id: AutoIdAdmin
    entitlement_owner_object_id: AutoIdEntitlementOwner
    executive_object_id: AutoIdExecutive
    supervisor_object_id: AutoIdSupervisor
    user_object_id: AutoIdUser
    application_owner_object_id: AutoIDAppOwner
    role_owner_object_id: AutoIDRoleOwner
    role_engineer_object_id: AutoIDRoleEngineer
    oidc_end_session_endpoint: "http://openam.example.com:8080/openam/oauth2/logout"
    oidc_logout_redirect_url: "http://openam.example.com:8088/openman/logout"
  14. On the Target machine, edit the /etc/hosts file, and add an entry for openam.example.com.

    35.134.60.234  openam.example.com
  15. On the Deployer machine, run deployer.sh to push the new configuration.

    $ deployer.sh run
  16. Test the connection now. Access https://autoid-ui/forgerock.com. The redirect should occur with the following:

    http://openam.example.com:8080/openam/XUI/?realm=%2F&goto=http%3A%2F%2Fopenam.example.com%3A8080%2Fopenam%2Foauth2%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3Dautoid

Setting the Session Duration

By default, the session duration is set to 30 minutes. You can change this value at installation by setting the JWT_EXPIRY property in the /autoid-config/vars.yml file.

If you did not set the value at installation, you can make the change after installation by setting the JWT_EXPIRY property using the API service.

Set the session duration:
  1. Log in to the Docker manager node.

  2. Verify the JWT_EXPIRY property.

    $ docker inspect api_zoran-api
  3. Go to the API folder.

    $ cd /opt/autoid/res/api
  4. Edit the docker-compose.yml file and update the JWT_EXPIRY property. The JWT_EXPIRY property is set to minutes.

  5. Redeploy the Docker stack API.

    $ docker stack deploy --with-registry-auth --compose-file docker-compose.yml api

    If the command returns any errors, such as "image could not be accessed by the registry," then try the following command:

    $ docker stack deploy --with-registry-auth --resolve-image changed \
        --compose-file /opt/autoid/res/api/docker-compose.yml api
  6. Verify the new JWT_EXPIRY property.

    $ docker inspect api_zoran-api
  7. Log in to the Docker worker node.

  8. Stop the worker node.

    $ docker stop [container ID]

    The Docker manager node re-initiates the worker node. Repeat this step on any other worker node.