Identity Cloud

Access data objects by remote proxy

You can proxy REST requests to a remote IDM instance using the /external/idm/factoryPid endpoint. This lets you treat any other IDM instance as a resource within the one you are managing. You can then use it in a sync mapping, call actions on it, use it within scripts, or use it in any other way that you might use a resource in IDM. You can call any endpoint in the remote IDM system using this proxy.

A few situations where this feature may be useful include:

  • Situations where a development or testing environment has data that needs to be synced into the production environment.

  • Situations where data is deployed in geographically diverse data centers and changes need to be kept in sync with one another.

  • Situations where a new instance needs to sync data between existing on-premises and cloud instances.

This feature does not support liveSync/implicit sync from the remote IDM resources. This means that you will be limited to using recon when it comes to pulling data from a remote system.

For any request sent to the source server that includes an X-Requested-With header, the value of the header is set to RemoteIDMProxy.


To connect to a remote instance over SSL, you must import the remote instance’s server certificate into your local instance’s truststore. For further information, see Configure a self-managed SSL certificate.

Use in a sync mapping

To use the remote IDM proxy in a synchronization mapping, add the mapping to your mapping configuration. For example:

curl \
--header "Authorization: Bearer *token*" \
--header "Accept-API-Version: resource=1.0" \
--header "Content-Type: application/json" \
--data '{
  "mappings": [
      "name": "onprem_user_to_fidc_alpha_user",
      "source": "external/idm/65/managed/user",
      "target": "external/idm/fidc/managed/alpha_user"
}' \
--request PUT \

To verify the changes, get the mapping configuration. For example:

curl \
--header "Authorization: Bearer *token*" \
--header "Accept-API-Version: resource=1.0" \
--request GET \


Authentication against the remote IDM instance is supported via basic authentication, or bearer token authentication when IDM is configured to use rsFilter. The authentication strategy determines some of the parameters required for the request.

Property Required? Definition



The enable state of the service. Default is true.



The requested OAuth2 scope(s).



The scope delimiter to use. Defaults to space.



The authentication strategy to use. Either basic or bearer.



The URL of the remote instance to relay the request to.


With basic auth

The basic authentication user name.


With basic auth

The basic authentication password.


With bearer auth

The clientId used to request an access token from the token endpoint.


With bearer auth

The client secret used to request an access token from the token endpoint.


With bearer auth

The OAuth2 token endpoint.


Basic authentication

  "enabled" : true,
  "authType" : "basic",
  "instanceUrl" : "https://localhost:8443/openidm/",
  "userName" : "openidm-admin",
  "password" : "openidm-admin"

Bearer/Oauth2 authentication

  "enabled" : true,
  "authType" : "bearer",
  "instanceUrl" : "",
  "clientId" : "idm-provisioning",
  "clientSecret" : "password",
  "scope" : [ ],
  "tokenEndpoint" : "",
  "scopeDelimiter" : " "

Sample request

curl \
--header "Authorization: Bearer *token*" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
  "result": [{
  "_id": "95b2b43c-621e-4bca-8a97-efc768f17751",
  "_rev": "00000000f20217df",
  "userName": "testUser",
  "accountStatus": "active",
  "givenName": "Test",
  "sn": "User",
  "mail": ""
  "resultCount": 1,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "NONE",
  "totalPagedResults": -1,
  "remainingPagedResults": -1

Use in a script

openidm.query("external/idm/fidc/managed/alpha_user", {"_queryFilter": "userName eq 'bjensen'"});
Copyright © 2010-2022 ForgeRock, all rights reserved.