Guide to configuring and integrating ForgeRock® Identity Management software into identity management solutions. This software offers flexible services for automating management of the identity life cycle.

Preface

ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.

1. About This Guide

In this guide you will learn how to integrate ForgeRock Identity Management (IDM) software as part of a complete identity management solution.

This guide is written for systems integrators building solutions based on ForgeRock Identity Management services. This guide describes the product functionality, and shows you how to set up and configure IDM software as part of your overall identity management solution.

2. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.
While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.
ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

3. Using the ForgeRock.org Site

The ForgeRock.org site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.

Chapter 1. Architectural Overview

This chapter introduces the IDM architecture, and describes component modules and services.

In this chapter you will learn:

How IDM uses the OSGi framework as a basis for its modular architecture
How the infrastructure modules provide the features required for IDM's core services
What those core services are and how they fit in to the overall architecture
How IDM provides access to the resources it manages

1.1. Modular Framework

IDM implements infrastructure modules that run in an OSGi framework. It exposes core services through RESTful APIs to client applications.

The following figure provides an overview of the architecture. Specific components are described in more detail in subsequent sections of this chapter.

Modular Architecture

The IDM framework is based on OSGi:

OSGi: OSGi is a module system and service platform for the Java programming language that implements a complete and dynamic component model. For more information, see What is OSGi? IDM runs in Apache Felix, an implementation of the OSGi Framework and Service Platform.
Servlet: The Servlet layer provides RESTful HTTP access to the managed objects and services. IDM embeds the Jetty Servlet Container, which can be configured for either HTTP or HTTPS access.

1.2. Infrastructure Modules

The infrastructure modules provide the underlying features needed for core services:

BPMN 2.0 Workflow Engine

The embedded workflow and business process engine is based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard.

For more information, see "Integrating Business Processes and Workflows".

Task Scanner

The task-scanning mechanism performs a batch scan for a specified property, on a scheduled interval. The task scanner executes a task when the value of that property matches a specified value.

For more information, see "Scanning Data to Trigger Tasks".

Scheduler

The scheduler supports Quartz cron triggers and simple triggers. Use the scheduler to trigger regular reconciliations, liveSync, and scripts, to collect and run reports, to trigger workflows, and to perform custom logging.

For more information, see "Scheduling Tasks and Events".

Script Engine

The script engine is a pluggable module that provides the triggers and plugin points for IDM. JavaScript and Groovy are supported.

Policy Service

An extensible policy service applies validation requirements to objects and properties, when they are created or updated.

For more information, see "Using Policies to Validate Data".

Audit Logging

Auditing logs all relevant system activity to the configured log stores. This includes the data from reconciliation as a basis for reporting, as well as detailed activity logs to capture operations on the internal (managed) and external (system) objects.

For more information, see "Setting Up Audit Logging".

Repository

The repository provides a common abstraction for a pluggable persistence layer. IDM supports reconciliation and synchronization with several major external data stores in production, including relational databases, LDAP servers, and even flat CSV and XML files.

The repository API uses a JSON-based object model with RESTful principles consistent with the other IDM services. To facilitate testing, IDM includes an embedded instance of ForgeRock Directory Services (DS). In production, you must use a supported repository, as described in "Selecting a Repository" in the Installation Guide.

1.3. Core Services

The core services are the heart of the resource-oriented unified object model and architecture:

Object Model

Artifacts handled by IDM are Java object representations of the JavaScript object model as defined by JSON. The object model supports interoperability and potential integration with many applications, services, and programming languages.

IDM can serialize and deserialize these structures to and from JSON as required. IDM also exposes a set of triggers and functions that you can define, in either JavaScript or Groovy, which can natively read and modify these JSON-based object model structures.

Managed Objects

A managed object is an object that represents the identity-related data managed by IDM. Managed objects are configurable, JSON-based data structures that IDM stores in its pluggable repository. The default managed object configuration includes users and roles, but you can define any kind of managed object, for example, groups or devices.

You can access managed objects over the REST interface with a query similar to the following:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 "http://localhost:8080/openidm/managed/..."

System Objects

System objects are pluggable representations of objects on external systems. For example, a user entry that is stored in an external LDAP directory is represented as a system object in IDM.

System objects follow the same RESTful resource-based design principles as managed objects. They can be accessed over the REST interface with a query similar to the following:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 "http://localhost:8080/openidm/system/..."

There is a default implementation for the ICF framework, that allows any connector object to be represented as a system object.

Mappings

Mappings define policies between source and target objects and their attributes during synchronization and reconciliation. Mappings can also define triggers for validation, customization, filtering, and transformation of source and target objects.

For more information, see "Synchronizing Data Between Resources".

Synchronization and Reconciliation

Reconciliation enables on-demand and scheduled resource comparisons between the managed object repository and the source or target systems. Comparisons can result in different actions, depending on the mappings defined between the systems.

Synchronization enables creating, updating, and deleting resources from a source to a target system, either on demand or according to a schedule.

For more information, see "Synchronizing Data Between Resources".

1.4. Secure Commons REST Commands

Representational State Transfer (REST) is a software architecture style for exposing resources, using the technologies and protocols of the World Wide Web. For more information on the ForgeRock REST API, see "REST API Reference".

REST interfaces are commonly tested with a curl command. Many of these commands are used in this document. They work with the standard ports associated with Java EE communications, 8080 and 8443.

To run curl over the secure port, 8443, you must include either the --insecure option, or follow the instructions shown in "Restricting REST Access to the HTTPS Port". You can use those instructions with the self-signed certificate generated when IDM starts, or with a *.crt file provided by a certificate authority.

1.5. Access Layer

The access layer provides the user interfaces and public APIs for accessing and managing the repository and its functions:

RESTful Interfaces

IDM provides REST APIs for CRUD operations, for invoking synchronization and reconciliation, and to access several other services.

For more information, see "REST API Reference".

User Interfaces

User interfaces provide access to most of the functionality available over the REST API.

Chapter 2. Starting, Stopping, and Running the Server

This chapter covers the scripts provided for starting and stopping IDM, and describes how to verify the health of a system, that is, that all requirements are met for a successful system startup.

2.1. To Start and Stop the Server

By default, you start and stop IDM in interactive mode.

To start the server interactively, open a terminal or command window, change to the openidm directory, and run the startup script:

startup.sh (UNIX)
startup.bat (Windows)

The startup script starts the server, and opens an OSGi console with a -> prompt where you can issue console commands.

The default hostname and ports for IDM are set in the resolver/boot.properties file found in the openidm/ directory. IDM is initially configured to run on http on port 8080, https on port 8443, with a hostname of localhost. For more information about changing ports and hostnames, see "Host and Port Information".

To stop the server interactively in the OSGi console, run the shutdown command:

-> shutdown

You can also start IDM as a background process on UNIX and Linux systems. Follow these steps, preferable before you start IDM for the first time:

If you have already started the server, shut it down and remove the Felix cache files under openidm/felix-cache/:
```
-> shutdown
...
$ rm -rf felix-cache/*
```
Start the server in the background. The nohup survives a logout and the 2>&1& redirects standard output and standard error to the noted console.out file:
```
$ nohup ./startup.sh > logs/console.out 2>&1&
[1] 2343
```

To stop the server running as a background process, use the shutdown.sh script:

$ ./shutdown.sh
./shutdown.sh
Stopping OpenIDM (2343)

Note

Although installations on OS X systems are not supported in production, you might want to run IDM on OS X in a demo or test environment. To run IDM in the background on an OS X system, take the following additional steps:

Remove the org.apache.felix.shell.tui-*.jar bundle from the openidm/bundle directory.
Disable ConsoleHandler logging, as described in "Disable Logs".

2.2. Specifying the Startup Configuration

By default, IDM starts with the configuration, script, and binary files in the openidm/conf, openidm/script, and openidm/bin directories. You can launch IDM with a different set of configuration, script, and binary files for test purposes, to manage different projects, or to run one of the included samples.

The startup.sh script specifies the following elements of a running instance:

-p | --project-location {/path/to/project/directory}

The project location specifies the directory that contains the configuration and script files that IDM will use.

All configuration objects and any artifacts that are not in the bundled defaults (such as custom scripts) must be included in the project location. These objects include all files otherwise included in the openidm/conf and openidm/script directories.

For example, the following command starts the server with the configuration of the sync-with-csv sample (located in /path/to/openidm/samples/sync-with-csv):

$ ./startup.sh -p /path/to/openidm/samples/sync-with-csv

If you do not provide an absolute path, the project location path is relative to the system property, user.dir. IDM sets idm.instance.dir to that relative directory path. Alternatively, if you start the server without the -p option, IDM sets idm.instance.dir to /path/to/openidm.

Note

In this documentation, "your project" refers to the value of idm.instance.dir.

-w |--working-location {/path/to/working/directory}

The working location specifies the directory in which the embedded DS instance is installed, and the directory to which IDM writes its database cache, audit logs, and felix cache. The working location includes everything that is in the default db/, audit/, and felix-cache/ subdirectories.

The following command specifies that IDM writes its database cache and audit data to /Users/admin/openidm/storage:

$ ./startup.sh -w /Users/admin/openidm/storage

If you do not provide an absolute path, the path is relative to the system property, user.dir. IDM sets idm.data.dir to that relative directory path. If you do not specify a working location, IDM sets idm.data.dir to /path/to/openidm. This means the default working location data is located in the openidm/db, openidm/felix-cache and openidm/audit directories.

Note that this property does not affect the location of the IDM system logs. To change the location of these logs, edit the conf/logging.properties file.

You can also change the location of the Felix cache, by editing the conf/config.properties file, or by starting the server with the -s option, described later in this section.

-c | --config {/path/to/config/file}

A customizable startup configuration file (named launcher.json) lets you specify how the OSGi Framework is started.

Unless you are working with a highly customized deployment, you should not modify the default framework configuration. This option is therefore described in more detail in "Advanced Configuration".

-P {property=value}

Any properties passed to the startup script with the -P option are used when the server loads the launcher.json startup configuration file.

Options specified here have the lowest order of precedence when the configuration is loaded. If the same property is defined in any other configuration source, the value specified here is ignored.

-s | --storage {/path/to/storage/directory}

Specifies the OSGi storage location of the cached configuration files.

You can use this option to redirect output if you are installing on a read-only filesystem volume. For more information, see "Installing on a Read-Only Volume" in the Installation Guide. This option is also useful when you are testing different configurations. Sometimes when you start the server with two different sample configurations, one after the other, the cached configurations are merged and cause problems. Specifying a storage location creates a separate felix-cache directory in that location, and the cached configuration files remain completely separate.

Additionally, IDM sets the system property idm.install.dir to the location IDM is installed in. For example, if IDM was installed in /Users/admin/openidm/, that is what idm.install.dir will be set to.

For information about changing the startup configuration by substituting property values, see "Using Property Value Substitution".

2.3. Monitoring Server Health

Because IDM is highly modular and configurable, it is often difficult to assess whether a system has started up successfully, or whether the system is ready and stable after dynamic configuration changes have been made.

The health check service allows you to monitor the status of internal resources.

To monitor the status of external resources such as LDAP servers and external databases, use the commands described in "Checking the Status of External Systems Over REST".

2.3.1. Basic Health Checks

The health check service reports on the state of the server and outputs this state to the OSGi console and to the log files. The server can be in one of the following states:

STARTING - the server is starting up
ACTIVE_READY - all of the specified requirements have been met to consider the server ready
ACTIVE_NOT_READY - one or more of the specified requirements have not been met and the server is not considered ready
STOPPING - the server is shutting down

To verify the current server state, use the following REST call:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 "http://localhost:8080/openidm/info/ping"
{
  "_id": "",
  "_rev": "",
  "shortDesc": "OpenIDM ready",
  "state": "ACTIVE_READY"
}

2.3.2. Obtaining Session Information

To obtain information about the current IDM session, beyond basic health checks, use the following REST call:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/info/login"
{
  "_id": "login",
  "authenticationId": "openidm-admin",
  "authorization": {
    "component": "internal/user",
    "authLogin": false,
    "roles": [
      "internal/role/openidm-admin",
      "internal/role/openidm-authorized"
    ],
    "ipAddress": "0:0:0:0:0:0:0:1",
    "id": "openidm-admin",
    "moduleId": "INTERNAL_USER"
  }
}

Note

You can also increment the loginCount with a related endpoint described in "Authenticating Internal and Managed Users".

2.3.3. Monitoring Tuning and Health Parameters

The openidm/health endpoint provides more detailed monitoring information on the following areas:

Operating System on the openidm/health/os endpoint
Memory on the openidm/health/memory endpoint
Reconciliation, on the openidm/health/recon endpoint.

For information on controlling access to these endpoints, see "Understanding the Access Configuration Script (access.js)".

2.3.3.1. Operating System Health Check

With the following REST call, you can get basic information about the host operating system:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 "http://localhost:8080/openidm/health/os"
{
    "_id" : "",
    "_rev" : "",
    "availableProcessors" : 1,
    "systemLoadAverage" : 0.06,
    "operatingSystemArchitecture" : "amd64",
    "operatingSystemName" : "Linux",
    "operatingSystemVersion" : "2.6.32-504.30.3.el6.x86_64"
}

From the output, you can see that this particular system has one 64-bit CPU, with a load average of 6 percent, on a Linux system with the noted kernel operatingSystemVersion number.

2.3.3.2. Memory Health Check

With the following REST call, you can get basic information about overall JVM memory use:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 "http://localhost:8080/openidm/health/memory"
{
    "_id" : "",
    "_rev" : "",
    "objectPendingFinalization" : 0,
    "heapMemoryUsage" : {
        "init" : 1073741824,
        "used" : 88538392,
        "committed" : 1037959168,
        "max" : 1037959168
    },
    "nonHeapMemoryUsage" : {
        "init" : 24313856,
        "used" : 69255024,
        "committed" : 69664768,
        "max" : 224395264
    }
}

The output includes information on JVM Heap and Non-Heap memory, in bytes. Briefly:

JVM Heap memory is used to store Java objects.
JVM Non-Heap Memory is used by Java to store loaded classes and related meta-data.

2.3.3.3. Reconciliation Health Check

With the following REST call, you can get basic information about the system demands related to reconciliation:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 "http://localhost:8080/openidm/health/recon"
{
    "_id" : "",
    "_rev" : "",
    "activeThreads" : 1,
    "corePoolSize" : 10,
    "largestPoolSize" : 1,
    "maximumPoolSize" : 10,
    "currentPoolSize" : 1
}

From the output, you can review the number of active threads used by the reconciliation, as well as the available thread pool.

2.3.4. Verifying the State of Health Check Service Modules

The configurable health check service verifies the status of the modules and services required for an operational system. During system startup, IDM checks that these modules and services are available and reports on any requirements that have not been met. If dynamic configuration changes are made, IDM rechecks that the required modules and services are functioning, to allow ongoing monitoring of system operation.

Examples of Required Modules

IDM checks all required modules. Examples of those modules are shown here:

     "org.forgerock.openicf.framework.connector-framework"
     "org.forgerock.openicf.framework.connector-framework-internal"
     "org.forgerock.openicf.framework.connector-framework-osgi"
     "org.forgerock.openidm.audit"
     "org.forgerock.openidm.core"
     "org.forgerock.openidm.enhanced-config"
     "org.forgerock.openidm.external-email"
     ...
     "org.forgerock.openidm.system"
     "org.forgerock.openidm.ui"
     "org.forgerock.openidm.util"
     "org.forgerock.commons.org.forgerock.json.resource"
     "org.forgerock.commons.org.forgerock.util"
     "org.forgerock.openidm.security-jetty"
     "org.forgerock.openidm.jetty-fragment"
     "org.forgerock.openidm.quartz-fragment"
     "org.ops4j.pax.web.pax-web-extender-whiteboard"
     "org.forgerock.openidm.scheduler"
     "org.ops4j.pax.web.pax-web-jetty-bundle"
     "org.forgerock.openidm.repo-jdbc"
     "org.forgerock.openidm.repo-ds"
     "org.forgerock.openidm.config"
     "org.forgerock.openidm.crypto"

Examples of Required Services

IDM checks all required services. Examples of those services are shown here:

     "org.forgerock.openidm.config"
     "org.forgerock.openidm.provisioner"
     "org.forgerock.openidm.provisioner.openicf.connectorinfoprovider"
     "org.forgerock.openidm.external.rest"
     "org.forgerock.openidm.audit"
     "org.forgerock.openidm.policy"
     "org.forgerock.openidm.managed"
     "org.forgerock.openidm.script"
     "org.forgerock.openidm.crypto"
     "org.forgerock.openidm.recon"
     "org.forgerock.openidm.info"
     "org.forgerock.openidm.router"
     "org.forgerock.openidm.scheduler"
     "org.forgerock.openidm.scope"
     "org.forgerock.openidm.taskscanner"

You can replace the list of required modules and services, or add to it, by adding the following lines to your resolver/boot.properties file. Bundles and services are specified as a list of symbolic names, separated by commas:

openidm.healthservice.reqbundles - overrides the default required bundles.
openidm.healthservice.reqservices - overrides the default required services.
openidm.healthservice.additionalreqbundles - specifies required bundles (in addition to the default list).
openidm.healthservice.additionalreqservices - specifies required services (in addition to the default list).

By default, the server is given 15 seconds to start up all the required bundles and services before system readiness is assessed. Note that this is not the total start time, but the time required to complete the service startup after the framework has started. You can change this default by setting the value of the servicestartmax property (in milliseconds) in your resolver/boot.properties file. This example sets the startup time to five seconds:

openidm.healthservice.servicestartmax=5000

2.4. Displaying Information About Installed Modules

On a running instance, you can list the installed modules and their states by typing the following command in the OSGi console. (The output will vary by configuration):

-> scr list 
  
 BundleId Component Name Default State
    Component Id State      PIDs (Factory PID)
 [   5]   org.forgerock.openidm.config.enhanced.starter  enabled
    [   1] [active      ] org.forgerock.openidm.config.enhanced.starter
 [   5]   org.forgerock.openidm.config.manage  enabled
    [   0] [active      ] org.forgerock.openidm.config.manage
 [  10]   org.forgerock.openidm.datasource.jdbc  enabled
 [  10]   org.forgerock.openidm.repo.jdbc  enabled
 [  11]   org.forgerock.openidm.repo.ds  enabled
    [  35] [active      ] org.forgerock.openidm.repo.ds
 [  16]   org.forgerock.openidm.cluster  enabled
    [  18] [active      ] org.forgerock.openidm.cluster
 [  17]   org.forgerock.openidm.http.context  enabled
    [   2] [active      ] org.forgerock.openidm.http.context
 [ 123]   org.forgerock.openidm.api-servlet  enabled
    [   5] [active      ] org.forgerock.openidm.api-servlet
 [ 123]   org.forgerock.openidm.error-servlet  enabled
    [   3] [active      ] org.forgerock.openidm.error-servlet
 [ 123]   org.forgerock.openidm.router.servlet  enabled
    [   4] [active      ] org.forgerock.openidm.router.servlet
 [ 124]   org.forgerock.openidm.audit  enabled
    [  24] [active      ] org.forgerock.openidm.audit
 [ 124]   org.forgerock.openidm.audit.filter  enabled
    [   6] [active      ] org.forgerock.openidm.audit.filter
->

To display additional information about a particular module or service, run the following command, substituting the Component Id from the preceding list:

-> scr info Id

The following example displays additional information about the router service:

-> scr info 4
*** Bundle: org.forgerock.openidm.api-servlet (123)
Component Description:
  Name: org.forgerock.openidm.router.servlet
  Implementation Class: org.forgerock.openidm.servlet.internal.ServletConnectionFactory
  Default State: enabled
  Activation: immediate
  Configuration Policy: ignore
  Activate Method: activate
  Deactivate Method: deactivate
  Modified Method: -
  Configuration Pid: [org.forgerock.openidm.router.servlet]
  Services:
    org.forgerock.json.resource.ConnectionFactory
    org.forgerock.openidm.router.RouterFilterRegistration
  Service Scope: singleton
  Reference: requestHandler
    Interface Name: org.forgerock.json.resource.RequestHandler
    Target Filter: (org.forgerock.openidm.router=*)
    Cardinality: 1..1
    Policy: static
    Policy option: reluctant
    Reference Scope: bundle
...
->

2.5. Querying Enabled Features

"Displaying Information About Installed Modules" showed how to list installed modules and their states on a running IDM instance. An alternative method of assessing the state of a server configuration is to query the enabled features over REST.

The feature availability service determines the set of possible features from the active bundles, and provides the following information:

The name and _id of the feature
Whether the feature is enabled
If the feature is enabled, the REST endpoint on which that feature can be accessed

You can query the available features on the info/features endpoint, for example:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 "http://localhost:8080/openidm/info/features?_queryFilter=true"
{
  "result": [
    {
      "_id": "retrieveUsername",
      "name": "retrieveUsername",
      "enabled": false,
      "endpoints": []
    },
    {
      "_id": "identityProviders",
      "name": "identityProviders",
      "enabled": true,
      "endpoints": [
        "identityProviders"
      ]
    },
    {
      "_id": "workflow",
      "name": "workflow",
      "enabled": true,
      "endpoints": [
        "workflow*"
      ]
    },
    {
      "_id": "passwordReset",
      "name": "passwordReset",
      "enabled": false,
      "endpoints": []
    },
    {
      "_id": "registration",
      "name": "registration",
      "enabled": true,
      "endpoints": [
        "selfservice/registration"
      ]
    },
    {
      "_id": "email",
      "name": "email",
      "enabled": false,
      "endpoints": []
    }
  ],
  ...
}

2.6. Starting in Debug Mode

To debug custom libraries, you can start the server with the option to use the Java Platform Debugger Architecture (JPDA):

Start IDM with the jpda option:

$ cd /path/to/openidm
$ ./startup.sh jpda
Executing ./startup.sh...
Using OPENIDM_HOME:   /path/to/openidm
Using OPENIDM_OPTS:   -Xmx1024m -Xms1024m -Djava.compiler=NONE -Xnoagent -Xdebug
 -Xrunjdwp:transport=dt_socket,address=5005,server=y,suspend=n
Using LOGGING_CONFIG:
   -Djava.util.logging.config.file=/path/to/openidm/conf/logging.properties
Listening for transport dt_socket at address: 5005
Using boot properties at /path/to/openidm/resolver/boot.properties
-> OpenIDM version "6.5.2.0" (revision: xxxx)
OpenIDM ready

The relevant JPDA options are outlined in the startup script (startup.sh).

In your IDE, attach a Java debugger to the JVM via socket, on port 5005.

Caution

This interface is internal and subject to change. If you depend on this interface, contact ForgeRock support.

2.7. Troubleshooting a Server Instance

For information about troubleshooting various issues in IDM, including collecting useful troubleshooting information such as logs, heap dumps and stack traces, see the corresponding Knowledge Base article.

Chapter 3. Command-Line Interface

This chapter describes the basic command-line interface (CLI). The CLI includes a number of utilities for managing an IDM instance.

All of the utilities are subcommands of the cli.sh (UNIX) or cli.bat (Windows) scripts. To use the utilities, you can either run them as subcommands, or launch the cli script first, and then run the utility. For example, to run the encrypt utility on a UNIX system:

$ cd /path/to/openidm 
$ ./cli.sh 
Using boot properties at /path/to/openidm/resolver/boot.properties
openidm# encrypt ....

or

$ cd /path/to/openidm
$ ./cli.sh encrypt ...

By default, the command-line utilities run with the properties defined in your resolver/boot.properties file.

If you run the cli.sh command by itself, it opens an IDM-specific shell prompt:

openidm#

The startup and shutdown scripts are not discussed in this chapter. For information about these scripts, see "Starting, Stopping, and Running the Server".

The following sections describe the subcommands and their use. Examples assume that you are running the commands on a UNIX system. For Windows systems, use cli.bat instead of cli.sh.

For a list of subcommands available from the openidm# prompt, run the cli.sh help command. The help and exit options shown below are self-explanatory. The other subcommands are explained in the subsections that follow:

local:secureHash   Hash the input string.
local:keytool      Export or import a SecretKeyEntry. The Java Keytool does
                   not allow for exporting or importing SecretKeyEntries.
local:encrypt      Encrypt the input string.
local:validate     Validates all json configuration files in the configuration
                   (default: /conf) folder.
basic:help   Displays available commands.
basic:exit   Exit from the console.
remote:configureconnector   Generate connector configuration.
remote:configexport         Exports all configurations.
remote:update               Update the system with the provided update file.
remote:configimport         Imports the configuration set from local file/directory.

The following options are common to the configexport, configimport, and configureconnector subcommands:

-u or --user USER[:PASSWORD]: Allows you to specify the server user and password. Specifying a username is mandatory. If you do not specify a username, the following error is output to the OSGi console: Remote operation failed: Unauthorized. If you do not specify a password, you are prompted for one. This option is used by all three subcommands.
--url URL: The URL of the REST service. The default URL is http://localhost:8080/openidm/. This can be used to import configuration files from a remote running IDM instance. This option is used by all three subcommands.
-P or --port PORT: The port number associated with the REST service. If specified, this option overrides any port number specified with the --url option. The default port is 8080. This option is used by all three subcommands.

3.1. Using the configexport Subcommand

The configexport subcommand exports all configuration objects to a specified location, enabling you to reuse a system configuration in another environment. For example, you can test a configuration in a development environment, then export it and import it into a production environment. This subcommand also lets you inspect the active configuration of an IDM instance.

OpenIDM must be running when you execute this command.

Usage is as follows:

$ ./cli.sh configexport --user username:password export-location

For example:

$ ./cli.sh configexport --user openidm-admin:openidm-admin /tmp/conf

On Windows systems, the export-location must be provided in quotation marks, for example:

C:\openidm\cli.bat configexport --user openidm-admin:openidm-admin "C:\temp\openidm"

Configuration objects are exported as .json files to the specified directory. The command creates the directory if needed. Configuration files that are present in this directory are renamed as backup files, with a timestamp, for example, audit.json.2014-02-19T12-00-28.bkp, and are not overwritten. The following configuration objects are exported:

The internal repository table configuration (repo.ds.json or repo.jdbc.json) and the datasource connection configuration, for JDBC repositories (datasource.jdbc-default.json)
The script configuration (script.json)
The log configuration (audit.json)
The authentication configuration (authentication.json)
The cluster configuration (cluster.json)
The configuration of a connected SMTP email server (external.email.json)
Custom configuration information (info-name.json)
The managed object configuration (managed.json)
The connector configuration (provisioner.openicf-*.json)
The router service configuration (router.json)
The scheduler service configuration (scheduler.json)
Any configured schedules (schedule-*.json)
Standard security questions (selfservice.kba.json)
The synchronization mapping configuration (sync.json)
If workflows are defined, the configuration of the workflow engine (workflow.json) and the workflow access configuration (process-access.json)
Any configuration files related to the user interface (ui-*.json)
The configuration of any custom endpoints (endpoint-*.json)
The configuration of servlet filters (servletfilter-*.json)
The policy configuration (policy.json)

3.2. Using the configimport Subcommand

The configimport subcommand imports configuration objects from the specified directory, enabling you to reuse a system configuration from another environment. For example, you can test a configuration in a development environment, then export it and import it into a production environment.

The command updates the existing configuration from the import-location over the REST interface. By default, if configuration objects are present in the import-location and not in the existing configuration, these objects are added. If configuration objects are present in the existing location but not in the import-location, these objects are left untouched in the existing configuration.

The subcommand takes the following options:

-r, --replaceall, --replaceAll

Replaces the entire list of configuration files with the files in the specified import location.

Note that this option wipes out the existing configuration and replaces it with the configuration in the import-location. Objects in the existing configuration that are not present in the import-location are deleted.

--retries (integer)

This option specifies the number of times the command should attempt to update the configuration if the server is not ready.

Default value : 10

--retryDelay (integer)

This option specifies the delay (in milliseconds) between configuration update retries if the server is not ready.

Default value : 500

Usage is as follows:

$ ./cli.sh configimport --user username:password [--replaceAll] [--retries integer] [--retryDelay integer] import-location

For example:

$ ./cli.sh configimport --user openidm-admin:openidm-admin --retries 5 --retryDelay 250 --replaceAll /tmp/conf

On Windows systems, the import-location must be provided in quotation marks, for example:

C:\openidm\cli.bat configimport --user openidm-admin:openidm-admin --replaceAll "C:\temp\openidm"

Configuration objects are imported as .json files from the specified directory to the conf directory. The configuration objects that are imported are the same as those for the export command, described in the previous section.

3.3. Using the configureconnector Subcommand

The configureconnector subcommand generates a configuration for an ICF connector.

Usage is as follows:

$ ./cli.sh configureconnector --user username:password --name connector-name

Select the type of connector that you want to configure. The following example configures a new CSV connector:

$ ./cli.sh configureconnector --user openidm-admin:openidm-admin --name myCsvConnector
 Executing ./cli.sh...
Starting shell in /path/to/openidm
Mar 22, 2018 09:50:01 AM org.forgerock.openidm.core.FilePropertyAccessor loadProps
0. Workday Connector version 1.5.20.8
1. SSH Connector version 1.5.20.8
2. ServiceNow Connector version 1.5.20.8
3. Scripted SQL Connector version 1.5.20.8
4. Scripted REST Connector version 1.5.20.8
5. Scim Connector version 1.5.20.8
6. Salesforce Connector version 1.5.20.8
7. MongoDB Connector version 1.5.20.8
8. Marketo Connector version 1.5.20.8
9. LDAP Connector version 1.5.20.8
10. Kerberos Connector version 1.5.20.8
11. Scripted Poolable Groovy Connector version 1.5.20.8
12. Scripted Groovy Connector version 1.5.20.8
13. GoogleApps Connector version 1.5.20.8
14. Database Table Connector version 1.5.20.8
15. CSV File Connector version 1.5.20.8
16. Adobe Marketing Cloud Connector version 1.5.20.8
17. Exit
Select [0..17]: 15
Edit the configuration file and run the command again. The configuration was saved to
/path/to/openidm/temp/provisioner.openicf-myCsvConnector.json

The basic configuration is saved in a file named /openidm/temp/provisioner.openicf-connector-name.json. Edit at least the configurationProperties parameter in this file to complete the connector configuration. For example, for a CSV connector:

"configurationProperties" : {
    "headerPassword" : "password",
    "csvFile" : "&{idm.instance.dir}/data/csvConnectorData.csv",
    "newlineString" : "\n",
    "headerUid" : "uid",
    "quoteCharacter" : "\"",
    "fieldDelimiter" : ",",
    "syncFileRetentionCount" : 3
},

For more information about the connector configuration properties, see "Configuring Connectors".

When you have modified the file, run the configureconnector command again so that IDM can pick up the new connector configuration:

$ ./cli.sh configureconnector --user openidm-admin:openidm-admin --name myCsvConnector
Executing ./cli.sh...
Starting shell in /path/to/openidm
Using boot properties at /path/to/openidm/resolver/boot.properties
Configuration was found and read from: /path/to/openidm/temp/provisioner.openicf-myCsvConnector.json

You can now copy the new provisioner.openicf-myCsvConnector.json file to your project's conf/ subdirectory.

You can also configure connectors over the REST interface, or through the Admin UI. For more information, see "Configuring Connectors".

3.4. Using the encrypt Subcommand

The encrypt subcommand encrypts an input string, or JSON object, provided at the command line. This subcommand can be used to encrypt passwords, or other sensitive data, to be stored in the repository. The encrypted value is output to standard output and provides details of the cryptography key that is used to encrypt the data.

Usage is as follows:

$ ./cli.sh encrypt [-j] string

If you do not enter the string as part of the command, the command prompts for the string to be encrypted. If you enter the string as part of the command, any special characters, for example quotation marks, must be escaped.

The -j option indicates that the string to be encrypted is a JSON object, and validates the object. If the object is malformed JSON and you use the -j option, the command throws an error. It is easier to input JSON objects in interactive mode. If you input the JSON object on the command-line, the object must be surrounded by quotes and any special characters, including curly braces, must be escaped. The rules for escaping these characters are fairly complex. For more information, see the OSGi specification. For example:

$ ./cli.sh encrypt -j '\{\"password\":\"myPassw0rd\"\}'

The following example encrypts a normal string value:

$ ./cli.sh encrypt mypassword
Executing ./cli.sh...x
Starting shell in /path/to/openidm
-----BEGIN ENCRYPTED VALUE-----
{
  "$crypto" : {
    "type" : "x-simple-encryption",
    "value" : {
      "cipher" : "AES/CBC/PKCS5Padding",
      "stableId" : "openidm-sym-default",
      "salt" : "vdz6bUztiT6QsExNrZQAEA==",
      "data" : "RgMLRbX0guxF80nwrtaZkkoFFGqSQdNWF7Ve0zS+N1I=",
      "keySize" : 16,
      "purpose" : "idm.config.encryption",
      "iv" : "R9w1TcWfbd9FPmOjfvMhZQ==",
      "mac" : "9pXtSKAt9+dO3Mu0NlrJsQ=="
    }
  }
}
------END ENCRYPTED VALUE------

The following example prompts for a JSON object to be encrypted:

$ ./cli.sh encrypt -j
Using boot properties at /path/to/openidm/resolver/boot.properties
Enter the Json value

> Press ctrl-D to finish input
Start data input:
{"password":"myPassw0rd"}
^D        
-----BEGIN ENCRYPTED VALUE-----
{
  "$crypto" : {
    "type" : "x-simple-encryption",
    "value" : {
      "cipher" : "AES/CBC/PKCS5Padding",
      "stableId" : "openidm-sym-default",
      "salt" : "vdz6bUztiT6QsExNrZQAEA==",
      "data" : "RgMLRbX0guxF80nwrtaZkkoFFGqSQdNWF7Ve0zS+N1I=",
      "keySize" : 16,
      "purpose" : "idm.config.encryption",
      "iv" : "R9w1TcWfbd9FPmOjfvMhZQ==",
      "mac" : "9pXtSKAt9+dO3Mu0NlrJsQ=="
    }
  }
}
------END ENCRYPTED VALUE------

3.5. Using the secureHash Subcommand

The secureHash subcommand hashes an input string, or JSON object, using the specified hash algorithm. This subcommand can be used to hash password values, or other sensitive data, to be stored in the repository. The hashed value is output to standard output and provides details of the algorithm that was used to hash the data.

Usage is as follows:

$ ./cli.sh secureHash --algorithm [-j] string

The -a or --algorithm option specifies the hash algorithm to use. For a list of supported hash algorithms, see "Encoding Attribute Values by Using Salted Hash Algorithms".

If you do not enter the string as part of the command, the command prompts for the string to be hashed. If you enter the string as part of the command, any special characters, for example quotation marks, must be escaped.

The -j option indicates that the string to be hashed is a JSON object, and validates the object. If the object is malformed JSON and you use the -j option, the command throws an error. It is easier to input JSON objects in interactive mode. If you input the JSON object on the command-line, the object must be surrounded by quotes and any special characters, including curly braces, must be escaped. The rules for escaping these characters are fairly complex. For more information, see the OSGi specification. For example:

$ ./cli.sh secureHash --algorithm SHA-384 '\{\"password\":\"myPassw0rd\"\}'

The following example hashes a password value (mypassword) using the SHA-384 algorithm:

$ ./cli.sh secureHash --algorithm SHA-384 mypassword
Executing ./cli.sh...
Starting shell in /path/to/openidm
Nov 14, 2017 1:19:49 PM org.forgerock.openidm.core.FilePropertyAccessor loadProps
INFO: Using properties at /path/to/openidm/resolver/boot.properties
-----BEGIN HASHED VALUE-----
{
  "$crypto" : {
    "value" : {
      "algorithm" : "SHA-384",
      "data" : "1bgOyADyXRFt4lNA80NOM0MeqWyBmAITFnB4742QdSTaLZkCw0kITPOCUhnSaeM8vKMG/W3jRN7slpcrc9jjqg=="
    },
    "type" : "salted-hash"
  }
}
------END HASHED VALUE------

The following example prompts for a JSON object to be hashed:

$ ./cli.sh secureHash --algorithm SHA-384 -j
Executing ./cli.sh...
Executing ./cli.sh...
Starting shell in /path/to/openidm
Nov 14, 2017 1:24:26 PM org.forgerock.openidm.core.FilePropertyAccessor loadProps
INFO: Using properties at /path/to/openidm/resolver/boot.properties
Enter the Json value

> Press ctrl-D to finish input
Start data input:
{"password":"myPassw0rd"}
^D
-----BEGIN HASHED VALUE-----
{
  "$crypto" : {
    "value" : {
      "algorithm" : "SHA-384",
      "data" : "7Caabx7d+vOZ7d3VMwdQObQJdTQ3uGOItsX5AwR4ViygUfARR/XuxRIBQt1LRq58ZOQXFwuw+3rvzK7Kld8pSg=="
    },
    "type" : "salted-hash"
  }
}
------END HASHED VALUE------

3.6. Using the keytool Subcommand

The keytool subcommand exports or imports secret key values.

The Java keytool command lets you export and import public keys and certificates, but not secret or symmetric keys. The IDM keytool subcommand provides this functionality.

Usage is as follows:

$ ./cli.sh keytool [--export, --import] alias

For example, to export the default IDM symmetric key, run the following command:

$ ./cli.sh keytool --export openidm-sym-default
   Executing ./cli.sh...
Starting shell in /home/idm/openidm
Use KeyStore from: /openidm/security/keystore.jceks
Please enter the password: 
[OK] Secret key entry with algorithm AES
AES:606d80ae316be58e94439f91ad8ce1c0

The default keystore password is changeit. For security reasons, you must change this password in a production environment. For information about changing the keystore password, see "To Change the Default Keystore Password".

To import a new secret key named my-new-key, run the following command:

$ ./cli.sh keytool --import my-new-key   
Using boot properties at /openidm/resolver/boot.properties
Use KeyStore from: /openidm/security/keystore.jceks
Please enter the password: 
Enter the key: 
AES:606d80ae316be58e94439f91ad8ce1c0

If a secret key with that name already exists, IDM returns the following error:

"KeyStore contains a key with this alias"

3.7. Using the validate Subcommand

The validate subcommand validates all .json configuration files in your project's conf/ directory.

Usage is as follows:

$ ./cli.sh validate
Executing ./cli.sh
Starting shell in /path/to/openidm
Using boot properties at /path/to/openidm/resolver/boot.properties
...................................................................
[Validating] Load JSON configuration files from:
[Validating] 	/path/to/openidm/conf
[Validating] audit.json .................................. SUCCESS
[Validating] authentication.json ......................... SUCCESS
    ...
[Validating] sync.json ................................... SUCCESS
[Validating] ui-configuration.json ....................... SUCCESS
[Validating] ui-countries.json ........................... SUCCESS
[Validating] workflow.json ............................... SUCCESS

3.8. Using the update Subcommand

The update subcommand supports updates for patches and migrations. For an example of this process, see "Updating Servers" in the Installation Guide.

Chapter 4. Using the Browser-Based UI

IDM provides a customizable, browser-based user interface. The functionality is subdivided into Administrative and Self-Service User Interfaces.

If you are configuring or administering IDM, navigate to the Administrative User Interface (Admin UI). If IDM is installed on the local system, you can get to the Admin UI at the following URL: https://localhost:8443/admin. In the Admin UI, you can configure connectors, customize managed objects, set up attribute mappings, manage accounts, and more.

The End User UI provides role-based access to tasks based on BPMN2 workflows, and allows users to manage certain aspects of their own accounts, including configurable self-service registration. When IDM starts, you can access the End User UI at https://localhost:8443/. For more information, see "Configuring User Self-Service".

All users, including openidm-admin, can change their password through the End User UI.

Warning

The default password for the administrative user, openidm-admin, is openidm-admin. To protect your deployment in production, change the default administrative password, as described in "To Change the Default Administrator Password".

4.1. Configuring the Server from the Admin UI

The Admin UI provides a graphical interface for most aspects of the IDM configuration.

Use the Quick Start cards and the Configure and Manage drop-down menus to configure the server.

In the following sections, you will examine the default Admin UI dashboard, and learn how to set up custom Admin UI dashboards.

Caution

If your browser uses an AdBlock extension, it might inadvertently block some UI functionality, particularly if your configuration includes strings such as ad. For example, a connection to an Active Directory server might be configured at the endpoint system/ad. To avoid problems related to blocked UI functionality, either remove the AdBlock extension, or set up a suitable white list to ensure that none of the targeted endpoints are blocked.

4.1.1. Default Admin UI Dashboards

The Admin UI includes multiple default dashboards. You can create additional dashboards, or add and remove widgets from the existing dashboards. For more information, see "Managing Dashboards".

When you log into the Admin UI the Quick Start dashboard loads by default.

Quick Start Dashboard

The Admin UI includes a fixed top menu bar. As you navigate around the Admin UI, you should see the same menu bar throughout.

To display all configured dashboards, select Dashboards > Manage Dashboards. In addition to the Quick Start dashboard, three dashboards are provided by default: System Monitoring, Resource Report and Business Report. The default dashboards cover the following functionality:

Quick Start Dashboard

Quick Start cards support one-click access to common administrative tasks. For more information, see "Quick Start Cards".

System Monitoring Dashboard

Audit Events include information on audit data, segregated by date. For more information on these events, see "Setting Up Audit Logging".
System Health includes data on current CPU and memory usage.
Last Reconciliation includes data from the most recent reconciliation between data stores.

Resource Report

The Resources Report includes widgets that show the number of active users, configured roles, and active connectors.
The Resources widget shows all configured connectors, mappings, and managed object types.

Business Report

The Business Report includes widgets related to login and registration activity.

4.1.1.1. Quick Start Cards

The Quick Start cards allow quick access to the following configuration options:

Add Connector
Use the Admin UI to connect to external resources. For more information, see "Creating Connector Configurations With the Admin UI".
Create Mapping
Configure synchronization mappings to map objects between resources. For more information, see "Mapping Source Objects to Target Objects".
Manage Roles
Set up managed provisioning or authorization roles. For more information, see "Working With Managed Roles".
Add Device
Use the Admin UI to set up managed objects, including users, groups, roles, or even Internet of Things (IoT) devices. For more information, see "Managing Accounts".
Configure Registration
Configure user Self-Registration. You can set up the End User UI login screen, with a link that allows new users to start a verified account registration process. For more information, see "Configuring User Self-Service".
Configure Password Reset
Configure user self-service Password Reset. You can configure the ability for users to reset forgotten passwords. For more information, see "Configuring User Self-Service".
Manage Users
Allows management of users in the repository. For more information, see "Working with Managed Users".
Configure System Preferences
Configure the following aspects of the server:
- Audit, as described in "Setting Up Audit Logging".
- End User UI, as described in "Changing the UI Path".
- Privacy & Consent, as described in "Configuring Privacy & Consent".
- Workflows, as described in "Integrating Business Processes and Workflows".

4.1.2. Managing Dashboards

You can set up additional dashboards for customized views of the Admin UI, and you can embed external dashboards such as Kibana or Grafana, or other monitoring boards.

To create a new dashboard, select Dashboards > New Dashboard. Enter a dashboard name and select whether this dashboard should be the default board that is displayed when you load the Admin UI.

For a customized view of the Admin UI, select Widgets as the Dashboard Type, then select Create Dashboard and add the widgets that you want exposed in that view.
You can also customize the view by starting with an existing dashboard. In the upper-right corner of the UI, next to the Add Widget button, click the vertical ellipses () then select Rename or Duplicate.
To embed an external dashboard, select Embedded URL as the Dashboard Type, then enter the URL of the dashboard that you want to embed and select Create Dashboard.

To add a widget to a dashboard, click Add Widget and select the widget type. Widgets are grouped in logical categories, so scroll down to the category that fits the widget you want to add.

To modify the position of a widget in a dashboard, click and drag the move icon for the widget ().

If you add a new Quick Start widget, select the vertical ellipsis () icon in the upper right corner of the widget, and click Settings.

You can configure an Admin UI sub-widget to embed in the Quick Start widget.
If you are linking to a specific page in the Admin UI, the destination URL can be the part of the address after the main page for the Admin UI, such as https://localhost:8443/<someURI>
For example, to create a quick start link to the Audit configuration tab, at https://localhost:8443/admin/#settings/audit/, enter #settings/audit in the destination URL text box.

IDM writes the changes you make to the ui-dashboard.json file for your project.

For example, if you add two widgets (Last Reconciliation and System Health) to a new dashboard named Test, you'll see the following excerpt in your ui-dashboard.json file:

{
    "name" : "test",
    "isDefault" : false,
    "widgets" : [
        {
            "type" : "lastRecon",
            "size" : "large",
            "barchart" : "false"
        },
        {
            "type" : "systemHealthFull",
            "size" : "large"
        }
    ],
    "embeddedDashboard" : false
}

For more information on each property, see the following table:

Admin UI Widget Properties in ui-dashboard.json

Property	Options	Description
`name`	User entry	Dashboard name
`isDefault`	`true` or `false`	Default dashboard; can set one default
`widgets`	Different options for `type`	Code blocks that define a widget
`type`	`lifeCycleMemoryHeap`, `lifeCycleMemoryNonHeap`, `systemHealthFull`, `cpuUsage`, `lastRecon`, `resourceList`, `quickStart`, `frame`, `userRelationship`	Widget name
`size`	`x-small`, `small`, `medium`, or `large`	Width of widget, based on a 12-column grid system, where x-small=4, small=6, medium=8, and large=12; for more information, see Bootstrap CSS
`height`	Height, in units such as `cm`, `mm`, `px`, and `in`	Height; applies only to Embed Web Page widget
`frameUrl`	URL	Web page to embed; applies only to Embed Web Page widget
`title`	User entry	Label shown in the UI; applies only to Embed Web Page widget
`barchart`	`true` or `false`	Reconciliation bar chart; applies only to Last Reconciliation widget

When complete, you can select the name of the new dashboard under the Dashboards menu or from the Manage Dashboards panel.

You can modify the options for each dashboard and widget. Select the vertical ellipsis in the upper right corner of the object, and make desired choices from the pop-up menu.

The following tables display an alphabetical list of the available widgets, by category:

Admin UI Reporting Widgets

Name	Description
Audit Events	Graphical display of audit events; also see "Viewing Audit Events in the Admin UI".
Count Widget	A reporting widget that provides an instant display of the number of specific objects, for example active managed users, enabled social providers, and so on. For more information, see "Reporting, Monitoring, and Notifications".
Dropwizard Table With Graph	Does not appear in the list of widgets unless metrics are active, per "Metrics and Monitoring".
Graph Widget	Provides a graphical view of a specific managed resource, for example managed users, based on some metric.
Last Reconciliation	Shows statistics from the most recent reconciliation, shown in System Monitoring dashboard; also see "Obtaining the Details of a Reconciliation"
New Registrations	The number of users that have self-registered that week. To display data using this widget, user self-registration must be enabled (see "User Self-Registration").
Password Resets	The number of password resets that week. To display data using this widget, password reset must be enabled (see "User Password Reset").
Resources	Connectors, mappings, managed objects; shown in Administration dashboard
Sign-Ins	The number of managed users that have signed in to the service that week.

Social Widgets

Name	Description
Daily Social Logins	Graphical display of logins via social identity providers; for related information see "Configuring Social Identity Providers"
Social Registration (year)	Graphical display of registrations over the past year; for related information, see "Configuring Social Identity Providers"

System Status Widgets

Name	Description
Cluster Node Status	Lists the instances in a cluster, with their status. For more information, see "Managing Nodes Through the Admin UI".
CPU Usage	Also part of System Health widget
Memory Usage (JVM Heap)	Graphs available JVM Heap memory (ref "Memory Health Check"
Memory Usage (JVM NonHeap)	Graphs available JVM Non-Heap memory (ref "Memory Health Check"
System Health	Shown in System Monitoring dashboard; includes CPU Usage, Memory Usage (JVM Heap), and Memory Usage (JVM NonHeap)

Utility Widgets

Name	Description
Embed Web Page	Supports embedding of external content; for more information, see Embed Web Page Widget Requirements
Identity Relationships	Graphical display of relationships between identities; also see "Viewing Relationships in Graph Form"
Managed Objects Relationship Diagram	Graphical diagram with connections between managed object properties; also see "Viewing the Relationship Configuration in the UI"
Quick Start	Links to common tasks; shown in Administration dashboard

Embed Web Page Widget Requirements

To use the Embed Web Page applet, you'll need a web site that supports appropriate x-frame-options. For example, Google has a Maps Embed API for that purpose.

4.2. Managing Accounts

Only administrative users (with the role openidm-admin) can add, modify, and delete accounts from the Admin UI. Regular users can modify certain aspects of their own accounts from the End User UI.

4.2.1. Account Configuration

In the Admin UI, you can manage most details associated with an account. Create a user if needed, and then select Manage > User > Username. In the screen that appears, you can configure the following elements of a user account:

Details: The Details tab includes basic identifying data for each user, based on attributes configured in your project's managed.json file.
Password: As an administrator, you can create new passwords for users in the managed user repository.
Provisioning Roles: Used to specify how objects are provisioned to an external system. For more information, see "Working With Managed Roles".
Authorization Roles: Used to specify the authorization rights of a managed user within IDM. For more information, see "Working With Managed Roles".
Direct Reports: Users who are listed as managers of others have graphical entries linked to those users under the Direct Reports tab.
Linked Systems: Used to display account information reconciled from external systems.

4.2.2. Procedures for Managing Accounts

With the following procedures, you can use the Admin UI to add, update, and delete accounts for managed objects such as users. To make these changes using REST, see "Working with Managed Users".

The managed object does not have to be a user. It can be a role, a group, or even a physical item such as an IoT device. The basic process for adding, modifying, deactivating, and deleting other objects is the same as it is with accounts. However, the details may vary; for example, many IoT devices do not have telephone numbers.

To Add a User Account

Log in to the Admin UI at https://localhost:8443/admin.
Click Manage > User.
Click New User.
Complete the fields on the New User page.
By default, the New User page displays only the password and the fields that are configured as required in the schema, as shown in this excerpt from managed.json
```
"required" : [
    "userName",
    "givenName",
    "sn",
    "mail"
]
```
To display additional properties on the New User page, add the desired property to this list of required attributes.
The fields on this page are subject to policy validation, as described in "Using Policies to Validate Data". So, for example, the email address must be a valid email address, and the password must comply with the configured password policy.

In a similar way, you can create accounts for other managed objects.

You can review new managed object settings in the managed.json file of your project-dir/conf directory.

In the following procedures, you learn how:

"To Update a User Account"
"To Delete a User Account"
"To View an Account in External Resources"

To Update a User Account

Log in to the Admin UI at https://localhost:8443/admin as an administrative user.
Click Manage > User.
Click the Username of the user that you want to update.
On the profile page for the user, modify the fields you want to change and click Update.
The user account is updated in the repository.

To Delete a User Account

Log in to the Admin UI at https://localhost:8443/admin as an administrative user.
Click Manage > User.
Select the checkbox next to the desired Username.
Click the Delete Selected button.
Click OK to confirm the deletion.
The user is deleted from the internal repository.

To View an Account in External Resources

The Admin UI displays the details of the account in the repository (managed/user). When a mapping has been configured between the repository and one or more external resources, you can view details of that account in any external system to which it is linked. As this view is read-only, you cannot update a user record in a linked system from within the Self-Service UI.

By default, implicit synchronization is enabled for mappings from the managed/user repository to any external resource. This means that when you update a managed object, any mappings defined in the sync.json file that have the managed object as the source are automatically executed to update the target system. You can see these changes in the Linked Systems section of a user's profile.

To view a user's linked accounts:

Log in to the Admin UI at https://localhost:8443/admin.
Click Manage User > Username > Linked Systems.
The Linked Systems panel indicates the external mapped resource or resources.
Select the resource in which you want to view the account, from the Linked Resource list.
The user record in the linked resource is displayed.

4.3. Customizing the Admin UI

You can customize the Admin UI for your specific deployment. When you install IDM, you will find the default Admin UI configuration files in the following directory: openidm/ui/admin/default.

In most cases, we recommend that you copy this directory to openidm/ui/admin/extension with commands such as:

$ cd /path/to/openidm/ui/admin
$ cp -r default/. extension

You can then set up custom files in the extension/ subdirectory.

The Admin UI templates in the openidm/ui/admin/default/templates directory might help you get started.

If you want to customize workflows in the UI, see "Managing User Access to Workflows".

4.3.1. Customizing the Admin UI, by Functionality

You may want to customize parts of the Admin UI. You've set up an openidm/ui/admin/extension directory as described in "Customizing the Admin UI". In that directory, you can find a series of subdirectories. The following table is intended to help you search for the right file(s) to customize:

File Functionality by Admin UI Directory

Subdirectory	Description
`config`	Top-level configuration directory of JavaScript files. Customizable subdirectories include `errorhandlers/` with HTTP error messages and `messages/` with info and error messages. For actual messages, see the `translation.json` file in the `locales/en/` subdirectory.
`css/` and `libs/`	If you use a different bootstrap theme, you can replace the files in this and related subdirectories. For more information, see "UI Themes and Bootstrap".
`fonts/`	The font files in this directory are based on the Font Awesome CSS toolkit described in "Changing the UI Theme".
`images/` and `img/`	IDM uses the image files in these directories, which you can choose to replace with your own.
`locales/`	Includes the associated `translation.json` file, by default in the `en/` subdirectory.
`org/`	Source files for the End User UI
`partials/`	Includes partial components of HTML pages in the End User UI, for assignments, authentication, connectors, dashboards, email, basic forms, login buttons, etc.
`templates/`	The files in the `templates/` subdirectory are in actual use. For an example of how you can customize such files in the Admin UI, see "Customizing the End User UI".

To see an example of how this works, review "Customizing the End User UI". It includes examples of how you can customize parts of the End User UI. You can use the same technique to customize parts of the Admin UI.

Tip

The above table is not a complete list. To see a visual representation of customizable Admin UI files, from the Linux command line, run the following commands:

$ cd /path/to/openidm/ui/admin/extension
$ tree

4.4. Changing the UI Theme

You can customize the theme of the user interface. The default UI uses the Bootstrap framework and the Font Awesome CSS toolkit. You can download and customize the UI with the Bootstrap themes of your choice.

Note

If you use Brand Icons from the Font Awesome CSS Toolkit, be aware of the following statement:

All brand icons are trademarks of their respective owners. The use of these trademarks does not indicate endorsement of the trademark holder by ForgeRock, nor vice versa.

4.4.1. UI Themes and Bootstrap

You can configure a few features of the UI in the ui-themeconfig.json file in your project's conf/ subdirectory. However, to change most theme-related features of the UI, you must copy target files to the appropriate extension subdirectory, and then modify them as discussed in "Customizing the Admin UI".

By default the UI reads the stylesheets and images from the respective openidm/ui/function/default directories. Do not modify the files in this directory. Your changes may be overwritten the next time you update or even patch your system.

The default Admin UI configuration files are located in openidm/ui/admin/default. To customize the UI, copy this directory to openidm/ui/admin/extension:

You may also need to update the "stylesheets" listing in the ui-themeconfig.json file for your project, in the project-dir/conf directory.

"stylesheets" : [
    "css/bootstrap-3.4.1-custom.css",
    "css/structure.css",
    "css/theme.css"
],

You can find these stylesheets in the /css subdirectory.

bootstrap-3.4.1-custom.css: Includes custom settings that you can get from various Bootstrap configuration sites, such as the Bootstrap Customize and Download website.
You may find the ForgeRock version of this in the config.json file in the ui/admin/default/css/common/structure/ directory.
structure.css: Supports configuration of structural elements of the UI.
theme.css: Includes customizable options for UI themes such as colors, buttons, and navigation bars.

If you want to set up custom versions of these files, copy them to the extension/css subdirectories.

4.4.2. Changing the Default Logo

The default UI logo is in openidm/ui/admin/default/images. To change the logo, place your custom image in the openidm/ui/admin/extension/images directory. You should see the changes after refreshing your browser.

To specify a different file name, or to control the size, and other properties of the logo image file, adjust the logo property in the UI theme configuration file for your project (conf/ui-themeconfig.json).

The following change to the UI theme configuration file points to an image file named example-logo.png, in the openidm/ui/admin/extension/images directory:

...
"loginLogo" : {
     "src" : "images/example-logo.png",
     "title" : "Example.com",
     "alt" : "Example.com",
     "height" : "104px",
     "width" : "210px"
},
...

Refresh your browser window for the new logo to appear.

You can configure a few features of the UI in the ui-themeconfig.json file in your project's conf directory. However, to change most theme-related features of the UI, you must copy target files to the appropriate extension subdirectory, and then modify them as discussed in "Customizing the Admin UI".

By default the UI reads the stylesheets and images from the openidm/ui/admin/default directory. Do not modify the files in this directory. Your changes may be overwritten the next time you update or even patch your system.

To customize your UI, first set up matching subdirectories in (openidm/ui/admin/extension). For example, openidm/ui/admin/extension/libs and openidm/ui/admin/extension/css.

You might also need to update the "stylesheets" listing in the ui-themeconfig.json file for your project, in the project-dir/conf directory.

"stylesheets" : [
    "css/bootstrap-3.4.1-custom.css",
    "css/structure.css",
    "css/theme.css"
],

The default stylesheets have the following function:

bootstrap-3.4.1-custom.css: Includes custom settings that you can get from various Bootstrap configuration sites, such as the Bootstrap Customize and Download site. This site lets you upload a config.json file that makes it easier to create a customized Bootstrap file. The ForgeRock version of this file is in ui/admin/default/css/common/structure/. You can use this file as a starting point for your customization.
structure.css: For configuring structural elements of the UI.
theme.css: Includes customizable options for UI themes such as colors, buttons, and navigation bars.

To set up custom versions of these files, copy them to the extension/css subdirectories.

4.4.4. Custom Response Headers

You can specify custom response headers for your UI by using the responseHeaders property in UI context configuration files such as conf/ui.context-selfservice.json. For example, the X-Frame-Options header is a security measure used to prevent a web page from being embedded within the frame of another page. For more information about response headers, see the MDN page on HTTP Headers.

Since the responseHeaders property is specified in the configuration file for each UI context, you can set different custom headers depending on the needs of that part of IDM. For example, you may want different security headers included for the Admin and End User UIs.

4.5. Resetting User Passwords

When working with end users, administrators frequently have to reset their passwords. You can do so directly, through the Admin UI. Alternatively, you can configure an external system for that purpose, or set up password reset, as described in "User Password Reset".

4.5.1. Changing a User Password Through the Admin UI

From the Admin UI, you can change the passwords of accounts in the internal Managed User data store; to do so, take the following steps in the Admin UI:

Select Manage > User. Choose a specific user from the list that appears.
Select the Password tab for that user; you should be able to change that user's password there.

4.5.2. Using an External System for Password Reset

By default, the Password Reset mechanism is handled within IDM. You can reroute Password Reset in the event that a user has forgotten their password, by specifying an external URL to which Password Reset requests are sent. Note that this URL applies to the Password Reset link on the login page only, not to the security data change facility that is available after a user has logged in.

To set an external URL to handle Password Reset, set the passwordResetLink parameter in the UI configuration file (conf/ui-configuration.json) file. The following example sets the passwordResetLink to https://accounts.example.com/account/reset-password:

passwordResetLink: "https://accounts.example.com/reset-password"

The passwordResetLink parameter takes either an empty string as a value (which indicates that no external link is used) or a full URL to the external system that handles Password Reset requests.

Note

External Password Reset and security questions for internal Password Reset are mutually exclusive. Therefore, if you set a value for the passwordResetLink parameter, users will not be prompted with any security questions, regardless of the setting of the securityQuestions parameter.

4.6. Providing a Logout URL to External Applications

By default, a UI session is invalidated when a user clicks on the Log out link. In certain situations your external applications might require a distinct logout URL to which users can be routed, to terminate their UI session.

The logout URL is #logout, appended to the UI URL, for example, https://localhost:8443/#logout/.

The logout URL effectively performs the same action as clicking on the Log out link of the UI.

4.7. Changing the UI Path

By default, the End User UI is registered at the root context and is accessible at the URL https://localhost:8443. To specify a different URL, edit the project-dir/conf/ui.context-selfservice.json file, setting the urlContextRoot property to the new URL.

For example, to change the URL of the End User UI to https://localhost:8443/exampleui, edit the file as follows:

"urlContextRoot" : "/exampleui",

Alternatively, to change the End User UI URL in the Admin UI, follow these steps:

Log in to the Admin UI.
Select Configure > System Preferences, and select the Self-Service UI tab.
Specify the new context route in the Relative URL field.

4.8. API Explorer

IDM includes an API Explorer, an implementation of the OpenAPI Initiative Specification, also known popularly as Swagger.

To access the API Explorer, log into the Admin UI, select the question mark in the upper right corner, and choose API Explorer from the drop-down menu.

Note

If the API Explorer does not appear, you may need to enable it in your resolver/boot.properties file, specifically with the openidm.apidescriptor.enabled property. For more information see, "Disabling the API Explorer".

The API Explorer covers most of the endpoints provided with a default IDM installation.

Each endpoint lists supported HTTP methods such as POST and GET. When custom actions are available, the API Explorer lists them as HTTP Method /path/to/endpoint?_action=something.

To see how this works, navigate to the User endpoint, select List Operations, and choose the GET option associated with the /managed/user#_query_id_query-all endpoint.

In this case, the defaults are set, and all you need to do is select the Try it out! button. The output you see includes:

The REST call, in the form of the curl command.
The request URL, which specifies the endpoint and associated parameters.
The response body, which contains the data that you requested.
The HTTP response code; if everything works, this should be 200.
Response headers.

Tip

If you see a 401 Access Denied code in the response body, your session may have timed out, and you'll have to log into the Admin UI again.

For details on common ForgeRock REST parameters, see "About ForgeRock Common REST".

You'll see examples of REST calls throughout this documentation set. You can try these calls with the API Explorer.

You can also generate an OpenAPI-compliant descriptor of the REST API to provide API reference documentation specific to your deployment. The following command saves the API descriptor of the managed/user endpoint to a file named my-openidm-api.json:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 --output "my-openidm-api.json" \
 "http://localhost:8080/openidm/managed/user?_api"

For information about publishing reference documentation using the API descriptor, see "To Publish OpenAPI Documentation".

4.9. Disabling the UI

The UI is packaged as a separate bundle that can be disabled in the configuration before server startup. To disable the registration of the UI servlet, edit the project-dir/conf/ui.context-selfservice.json file, setting the enabled property to false:

"enabled" : false,

Chapter 5. Configuring User Self-Service

ForgeRock Identity Management (IDM) allows you to configure a number of features of user self-service, including user self-registration, password reset, username retrieval, custom email notifications, Privacy & Consent, progressive profile completion, Terms & Conditions, and more, as described in the following sections:

"User Self-Registration"
"User Password Reset"
"Forgotten Username"
"Configuring Notification Emails"
"Configuring Privacy & Consent"
"Customizing the End User UI"
"Setting Up User-Managed Access (UMA), Trusted Devices, and Privacy"
"Progressive Profile Completion"
"Adding Terms & Conditions"
"Localizing the End User UI"

Each of these sections are designed to help you as an IDM deployer, customize the End User UI. To that end, these sections discuss:

Required and supplementary configuration files, along with available functionality for each file.
REST endpoints, sometimes including REST calls to identify and change the configuration of each End User UI function.

When appropriate, this chapter includes the steps that you'd take to verify functionality from an end user point of view.

Note

Some of the options described in this chapter can be used to help support compliance with the General Data Protection Regulation (GDPR).

5.1. User Self-Registration

IDM supports user self-registration. When enabled, users can log into the IDM End User UI, and create their own accounts on your system, with customizable criteria. Once enabled, administrators no longer need to create user accounts manually.

In the following sections, you'll examine:

"Basic Setup: User Self-Registration Configuration Files"
"Managing User Self-Registration Over REST"
"Configuring the User Self-Registration Form"
"User Self-Registration: Social"
"Configuring User Self-Registration From the Admin UI"
"Configuring Multiple User Self-Registration Flows"

5.1.1. Basic Setup: User Self-Registration Configuration Files

To set up basic user self-registration, you'll need at least the following configuration files:

selfservice-registration.json
You can find a template version of this file in the following directory: openidm/samples/example-configurations/self-service.
ui-configuration.json
You can find this file in the default IDM project configuration directory, openidm/conf.

Note

Depending on how you configure User Self-Registration, you may need to set up additional configuration files, as discussed in "Configuring the User Self-Registration Form".

To enable self-service registration in the UI, enable the following boolean in ui-configuration.json:

"selfRegistration" : true,

You can include several features with user self-registration, as shown in the following excerpts of the selfservice-registration.json file:

The allInOneRegistration property determines whether IDM collects all user registration information in one or multiple pages. By default, it's set to true:
```
"allInOneRegistration" : true,
```
The idmUserDetails code block includes the IDM property for email addresses (mail), whether or not registration with social identity providers is enabled, along with data required from new users, as described in "Configuring the User Self-Registration Form".
The registrationPreferences code block includes preferences as defined in the managed.json file. For more information, see "Configuring End User Preferences".
If you've set up Terms & Conditions, users who self-register will have to accept them, based on criteria you create, as discussed in "Adding Terms & Conditions". If you've included Terms & Conditions with user self-registration, you'll see the following code block:
```
{
     "name" : "termsAndConditions"
},
```
If you've configured Privacy & Consent, you'll see a code block with the consent name. The following code block includes template Privacy & Consent terms in English (en) and French (fr):
```
{
     "name" : "consent",
     "consentTranslations" : {
         "en" : "Please consent to sharing your data with whomever we like.",
         "fr" : "Veuillez accepter le partage de vos données avec les services de notre choix."
     }
},
```
Note
Substitute Privacy & Consent content that meet the requirements of your legal authorities.
New users will have to manually accept these conditions before they complete the self-registration process. For more information, see "Configuring Privacy & Consent".
If you've activated Google reCAPTCHA for user self-service registration, you'll see the following code block:
```
{
     "name" : "captcha",
     "recaptchaSiteKey" : "<siteKey>",
     "recaptchaSecretKey" : "<secretKey>",
     "recaptchaUri" : "https://www.google.com/recaptcha/api/siteverify"
},
```
As suggested by the code, you'd substitute the actual siteKey and secretKey assigned by Google for your domain. For more information, see "Configuring Google reCAPTCHA".
If you've included email verification, be sure to configure an outgoing email server per "Configuring Outbound Email". For a discussion of the code block to add to selfservice-registration.json, see "Configuring Emails for Self-Service Registration".
If you've configured security questions, users who self-register will have to create them during registration, and as needed, answer them during the password reset process. If so configured, users who've been reconciled from external data stores will also be prompted to add security questions. The relevant code block is shown here, which includes security questions as a stage in the user self-registration process. For related configuration options, see "Configuring Security Questions".
```
{
     "name" : "kbaSecurityAnswerDefinitionStage",
     "kbaConfig" : null
},
```

For audit activity data related to user self-registration, see "Querying the Activity Audit Log".

5.1.2. Managing User Self-Registration Over REST

You can review the current user self-registration configuration over REST:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/config/selfservice/registration"

Unless you've disabled file writes per "Disabling Automatic Configuration Updates", the output will match the contents of your project's selfservice-registration.json file.

If needed, you can update this configuration by including the desired contents of the file:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request PUT \
--data '{ <Insert file contents here> }' \
"http://localhost:8080/openidm/config/selfservice/registration"

5.1.3. Configuring the User Self-Registration Form

During user self-registration, IDM lists the attributes that users see in the user registration form, as defined in the selfservice-registration.json file. You can modify the properties shown to users in the registrationProperties code block:

"registrationProperties" : [
    "userName",
    "givenName",
    "sn",
    "mail"
],

If you add a managed user property to the registrationProperties code block, IDM includes it in the user self-registration screen.

Alternatively, you can add a managed user property in the Admin UI. Select Configure > User Registration, and add a property under the Registration Form tab. This action also adds a managed user property to the noted code block.

In either case, you can change the order of properties; IDM shows the order you configure in the user self-registration screen.

You can also set up user self-registration via configuration files, as described in the following table:

User Self-Registration Configuration Files

File Name	Description
`external.email.json`	If you want to enable email validation, you'll need to configure this file, as discussed in "Configuring Outbound Email".
`managed.json`	You can customize user self-registration based on entries in this file. To change the labels seen by end users, change the associated `title`.
`policy.json`	For more information, see "Adding Custom Policies for Self-Registration and Password Reset".
`selfservice.kba.json`	See "Configuring Security Questions".
`selfservice-registration.json`	See "User Self-Registration".
`ui-configuration.json`	See "User Self-Registration".
`consent.json`	Specifies whether Privacy & Consent is enabled; however, you'll need to set up additional configuration files, as described in "Configuring Privacy & Consent".

5.1.5. Configuring User Self-Registration From the Admin UI

To configure user self-registration from the Admin UI, select Configure > User Registration and select Enable User Registration in the page that appears.

You'll see a pop-up window that specifies User Registration Settings, including the following:

Identity Resource, typically managed/user
Identity Email Field, typically mail or email
Success URL for the End User UI; users who successfully log in are redirected to that URL. By default, the success URL is http://localhost:8080/#dashboard/.
Preferences, which set up default marketing preferences for new users. New users can change these preferences during registration, or from the End User UI.
Advanced Options, Snapshot Token, typically a JSON Web Token (JWT)
Advanced Options, Token Lifetime, with a default of 300 seconds

You can also add these settings to the following configuration file: selfservice-registration.json. When you modify these settings in the Admin UI, IDM creates the file for you.

Once active, you'll see three tabs under User Registration in the Admin UI:

Registration Form, as described in "Configuring the User Self-Registration Form"
Social, as described in "User Self-Registration: Social"
Options, as described in "Common Steps: User Self-Registration, Password Reset, Forgotten Username"

5.1.6. Verifying Self-Registration in the End User UI

After configuring user self-registration, test the result from the end user's point of view. Navigate to the End User UI at http://localhost:8080, and select Create an account. You'll see a single-page Sign Up screen with configured text boxes and required security questions. If included in your configuration files, you'll also see marketing preferences such as "Send me news and updates".

If you've configured Terms & Conditions, you'll see a link to those terms:

By clicking "Sign Up" you agree to our Terms & Conditions.

Tip

To modify the Terms & Conditions, use the Admin UI or edit the selfservice.terms.json file, as described in "Adding Terms & Conditions".

If you've activated the reCAPTCHA option as described in "Configuring Google reCAPTCHA", you'll need to satisfy the requirements before you can select the SAVE button to create your new user account.

If you've activated the Privacy & Consent option, you'll see a Privacy Notice pop-up. By default, users who try to register aren't allowed to select the Give Consent button, until they actually consent to sharing their information.

Tip

To activate and configure the wording for Privacy & Consent, use the Admin UI or edit the selfservice-registration.json file, as described in "Configuring Privacy & Consent".

Once the new user is created, you should be able to verify the account in the following ways:

Log into the End User UI as the new user.
Find the userName of the new user over REST; one method is shown in "Working with Managed Users".
Log into the Admin UI, and select Manage > User. You should see that new user in the list.

5.1.7. Configuring Multiple User Self-Registration Flows

You can set up multiple self-registration flows, with features limited only by the capabilities listed in "User Self-Registration".

Note

Multiple self-registration flows, and customization of the End User UI beyond what is described in this document (and the noted public Git repository), are not supported.

For additional information on customizing the End User UI, see the following ForgeRock Git repository: ForgeRock/end-user-ui: Identity Management (End User).

For example, you may want to set up different portals for regular employees and contractors. You'd configure each portal with different self-registration flows, managed by the same IDM backend. Each portal would use the appropriate registration API.

To prepare for this section, you'll need a selfservice-registration.json file. You can find a copy in the following directory: /path/to/openidm/samples/example-configurations/self-service.

To avoid errors when using this file, you should either:

Copy the following files from the same directory:
selfservice.terms.json
selfservice-termsAndConditions.json
Delete the termsAndConditions code block from the respective selfservice-registration*.json files.

User self-registration is normally coded in the selfservice-registration.json file. In preparation, copy this file to the selfservice-registration*.json to the names shown in the following list:

Employee Portal
- Configuration file: selfservice-registrationEmployee.json
- URL: https://localhost:8443/openidm/selfservice/registrationEmployee
- verificationLink: https://localhost:8443/#/registrationEmployee
Contractor Portal
- Configuration file: selfservice-registrationContractor.json
- URL: https://localhost:8443/openidm/selfservice/registrationContractor
- verificationLink: https://localhost:8443/#/registrationContractor

Edit the configuration file for each portal.

Modify the verificationLink URL associated with each portal as described.
Edit the access.js file. You can find it in the script/ subdirectory for your project.
Add endpoint information for each new self-service registration file to the access.js, after the selfservice/registration code block. For example, the following code excerpt would apply to the registrationEmployee and registrationContractor endpoints.
```
{
    "pattern"    : "selfservice/registrationEmployee",
    "roles"      : "*",
    "methods"    : "read,action",
    "actions"    : "submitRequirements"
},
{
    "pattern"    : "selfservice/registrationContractor",
    "roles"      : "*",
    "methods"    : "read,action",
    "actions"    : "submitRequirements"
},
```

Modify the functionality of each selfservice-registration*.json file as desired. For guidance, see the sections noted in the following table:

Configuring selfservice-registration*.json Files for Different Portals

Feature	Code Block	Link
Social Registration	"socialRegistrationEnabled" : true,	"User Self-Registration: Social"
Properties requested during self-registration	"registrationProperties" : [ "userName", "givenName", "sn", "mail" ],	"Configuring the User Self-Registration Form"
Terms & Conditions	{ "name" : "termsAndConditions" }	"Adding Terms & Conditions"
Privacy & Consent	{ "name" : "consent", "consentTranslations" : { "en" : "substitute appropriate Privacy & Consent wording", "fr" : "substitute appropriate Privacy & Consent wording, in French" } },
reCAPTCHA	{ "name" : "captcha", "recaptchaSiteKey" : "<siteKey>", "recaptchaSecretKey" : "<secretKey>", "recaptchaUri" : "https://www.google.com/recaptcha/api/siteverify" }	"Configuring Google reCAPTCHA"
Email Validation		"Configuring Emails for Self-Service Registration"
Security Questions	{ "name" : "kbaSecurityAnswerDefinitionStage", "kbaConfig" : null },	"Configuring Security Questions"

If you leave out the code blocks associated with the feature, you won't see that feature in the self-service registration flow. In that way, you can set up different self-service registration flows for the Employee and Contractor portals.

Once you've configured both portals, you can make REST calls to both URLs:

https://localhost:8443/openidm/selfservice/registrationEmployee

https://localhost:8443/openidm/selfservice/registrationContractor

For more advice on how you can create custom registration flows, see the following public ForgeRock Git repository: Identity Management (End User) - UI.

Note

The changes described in this section require changes to the End User UI source code as described in the noted public Git repository. Pay particular attention to the instructions associated with the Registration.vue file.

5.2. User Password Reset

IDM supports self-service user password reset. When enabled, users who forget their passwords can log into the IDM End User UI, and can verify their identities with options such as email validation and security questions.

In the following sections, you'll examine:

"Basic Setup: User Password Reset Configuration Files"
"Managing User Password Reset Over REST"
"Configuring User Self-Registration From the Admin UI"

IDM includes the ability to set up random passwords, as described in "Generating Random Passwords".

5.2.1. Basic Setup: User Password Reset Configuration Files

To set up basic user password reset features, you'll need at least the following configuration files:

selfservice-reset.json
You can find a template version of this file in the following directory: openidm/samples/example-configurations/self-service.
ui-configuration.json
You can find this file in the default IDM project configuration directory, openidm/conf.

To set up self-service user password reset registration, enable the following boolean in ui-configuration.json:

"passwordReset" : true,

You can include several features with user password reset, as shown in the following excerpts of the selfservice-reset.json file:

If you've activated Google reCAPTCHA for user self-service registration, you'll see the following code block:
```
{
     "name" : "captcha",
     "recaptchaSiteKey" : "<siteKey>",
     "recaptchaSecretKey" : "<secretKey>",
     "recaptchaUri" : "https://www.google.com/recaptcha/api/siteverify"
},
```
As suggested by the code, you'd substitute the actual siteKey and secretKey assigned by Google for your domain. For more information, see "Configuring Google reCAPTCHA".
For password reset, IDM needs to verify user identities. To ensure that password reset links are sent to the right user, include the following code block:
```
{
    "name" : "userQuery",
    "validQueryFields" : [
        "userName",
        "mail",
        "givenName",
        "sn"
    ],
    "identityIdField" : "_id",
    "identityEmailField" : "mail",
    "identityUsernameField" : "userName",
    "identityServiceUrl" : "managed/user"
},
```
This code allows IDM to verify user identities by their username, email address, first name (givenName), or last name (sn, short for surname).
If you've included email verification, be sure to configure an outgoing email server per "Configuring Outbound Email". For a discussion of the code block to add to selfservice-registration.json, see "Configuring Emails for Password Reset".
If you've configured security questions, users who self-register will have to create questions and answers during the self-registration process.
If the feature is enabled, users who've been reconciled from external data stores will also be prompted, once, upon their next login, to add security questions and answers. The relevant code block is shown here, which points IDM to other configuration files as discussed in links from this section.
```
{
     "name" : "kbaSecurityAnswerDefinitionStage",
     "kbaConfig" : null
},
```

5.2.2. Managing User Password Reset Over REST

You can review the current user password reset configuration over REST:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/config/selfservice/reset"

Unless you've disabled file writes per "Disabling Automatic Configuration Updates", the output should match the contents of your project's selfservice-reset.json file.

If needed, you can update this configuration by including the desired contents of the file:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request PUT \
--data '{ <Insert file contents here> }' \
"http://localhost:8080/openidm/config/selfservice/reset"

5.2.3. Configuring Password Reset From the Admin UI

To configure Password Reset from the Admin UI, select Configure > Password Reset. When you select Enable Password Reset, you'll see a Configure Password Reset Form that allows you to specify the:

Identity Resource, typically managed/user
Advanced Options, Snapshot Token, typically a JSON Web Token (JWT)
Advanced Options, Token Lifetime, with a default of 300 seconds

You can also add these settings to the following configuration file: selfservice-reset.json. When you modify these settings in the Admin UI, IDM creates the file for you.

5.2.4. Verifying Password Reset in the End User UI

After configuring password reset in "User Password Reset", you can test the result from the end user's point of view. Navigate to the End User UI at http://localhost:8080, select the Profile icon () > Account Security > Password > Reset your password.

You should see a Reset Your Password page with pre-configured queries. After providing an answer, IDM should send a password reset link to the email associated with the target user account.

5.3. Forgotten Username

You can set up IDM to allow users to recover forgotten usernames. You can require that users enter email addresses, or first and last names. Depending on your choices, IDM then will either display that username on the screen, and/or email such information to that user.

In the following sections, you'll examine:

"Basic Setup: Forgotten Username Configuration Files"
"Managing Forgotten Username Retrieval Over REST"
"Configuring Forgotten Username Retrieval From the Admin UI"

5.3.1. Basic Setup: Forgotten Username Configuration Files

To set up basic forgotten username configuration, you'll need at least the following configuration files:

selfservice-username.json
You can find a template version of this file in the following directory: openidm/samples/example-configurations/self-service.
ui-configuration.json
You can find this file in the default IDM project configuration directory, openidm/conf.

To set up forgotten username retrieval, enable the following boolean in ui-configuration.json:

"forgotUsername" : true,

You can include several features with forgotten username retrieval, as shown in the following excerpts of the selfservice-reset.json file:

If you've activated Google reCAPTCHA for forgotten username retrieval, you'll see the following code block:
```
{
    "name" : "captcha",
    "recaptchaSiteKey" : "<siteKey>",
    "recaptchaSecretKey" : "<secretKey>",
    "recaptchaUri" : "https://www.google.com/recaptcha/api/siteverify"
},
```
As suggested by the code, you'd substitute actual siteKey and secretKey assigned by Google for your domain. For more information, see "Configuring Google reCAPTCHA".
For forgotten username retrieval, IDM needs to verify user identities. To ensure that usernames are sent to the right user, include the following code block:
```
{
    "name" : "userQuery",
    "validQueryFields" : [
        "mail",
        "givenName",
        "sn"
    ],
    "identityIdField" : "_id",
    "identityEmailField" : "mail",
    "identityUsernameField" : "userName",
    "identityServiceUrl" : "managed/user"
},
```
This code allows IDM to verify user identities by their username, email address, first name (givenName), or last name (sn, short for surname).
If you've included email verification, you must also configure an outgoing email server per "Configuring Outbound Email". For a discussion of the code block to add to selfservice-username.json, see "Configuring Emails for Forgotten Username".
The following code block, after confirming user identity, allows IDM to display the username:
```
{
     "name" : "retrieveUsername"
}
```

5.3.2. Managing Forgotten Username Retrieval Over REST

You can review the current forgotten username configuration over REST:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/config/selfservice/username"

Unless you've disabled file writes per "Disabling Automatic Configuration Updates", the output will match the contents of your project's selfservice-username.json file.

If needed, you can update this configuration by including the desired contents of the file:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request PUT \
--data '{ <Insert file contents here> }' \
"http://localhost:8080/openidm/config/selfservice/username"

5.3.3. Configuring Forgotten Username Retrieval From the Admin UI

To configure forgotten username retrieval from the Admin UI, select Configure > Forgotten Username. When you select Enable Forgotten Username Retrieval, you'll see a Configure Forgotten Username Form that allows you to specify the:

Identity Resource, typically managed/user
Advanced Options, Snapshot Token, typically a JSON Web Token (JWT).
Advanced Options, Token Lifetime, with a default of 300 seconds

You can also add these settings to the following configuration file: selfservice-username.json. When you modify these settings in the Admin UI, IDM creates the file for you.

5.3.4. Verifying Access to a Forgotten Username in the End User UI

After configuring forgotten username retrieval, you can test the result from the end user's point of view. Navigate to the End User UI at http://localhost:8080, and select Forgot Username?.

You should see a Retrieve Your Username page with pre-configured queries. After providing an answer, IDM should either display your username in the local browser, or send that username to the associated email address.

5.4. Common Steps: User Self-Registration, Password Reset, Forgotten Username

For each of the titled Self-Service features, you can configure several steps in the main configuration file for each feature: selfservice-registration.json, selfservice-reset.json, and selfservice-username.json. For more information, see the following sections:

"Configuring Google reCAPTCHA"
"Configuring Self-Service Email Validation / Username"
"Configuring Security Questions"
"Adding Custom Policies for Self-Registration and Password Reset"

5.4.1. Configuring Google reCAPTCHA

Google reCAPTCHA helps prevent bots from registering users or resetting passwords on your system. For Google documentation on this feature, see Google reCAPTCHA. IDM works with Google reCAPTCHA v2.

To use Google reCAPTCHA, you will need a Google account and your domain name (RFC 2606-compliant URLs such as localhost and example.com are acceptable for test purposes). Google then provides a Site key and a Secret key that you can include in the self-service function configuration.

For example, you can set up reCAPTCHA by adding the following code block to the configuration file for user self-registration selfservice-registration.json, password reset, selfservice-reset.json and forgotten username selfservice-username.json functionality.

{
    "name" : "captcha",
    "recaptchaSiteKey" : "< Insert Site Key Here >",
    "recaptchaSecretKey" : "< Insert Secret Key Here >",
    "recaptchaUri" : "https://www.google.com/recaptcha/api/siteverify"
},

You may also add the reCAPTCHA keys through the UI for each of these self-service features.

5.4.2. Configuring Self-Service Email Validation / Username

When a user requests a new account, a password reset, or a reminder of their username, you can configure IDM to confirm the request by sending an email message to that user.

Before you can configure email validation, you must first configure an outgoing email service. To do so, select Configure > Email Settings. For more information, read "Configuring Outbound Email".

To activate Email Validation, you'll need to include an appropriate code block, depending on whether you're setting up self-registration, password reset, or forgotten username functionality, in the corresponding configuration file.

Alternatively, in the Admin UI, select Configure > User Registration or Password Reset or Forgotten Username. Enable the feature. Under the Options tab, enable the Email option.

To configure the email message that informs the user of the new account, see "Configuring Notification Emails".

The following sections include the code blocks that are added to each configuration file:

5.4.2.1. Configuring Emails for Self-Service Registration

To configure emails for self-service registration, you can add the following code block to the selfservice-registration.json file:

{
    "name" : "emailValidation",
    "identityEmailField" : "mail",
    "emailServiceUrl" : "external/email",
    "emailServiceParameters" : {
        "waitForCompletion" : false
    },
    "from" : "info@example.com",
    "subject" : "Register new account",
    "mimeType" : "text/html",
    "subjectTranslations" : {
        "en" : "Register new account",
        "fr" : "Créer un nouveau compte"
    },
    "messageTranslations" : {
        "en" : "<h3>This is your registration email.</h3><h4><a href=\"%link%\">Email verification link</a></h4>",
        "fr" : "<h3>Ceci est votre mail d'inscription.</h3><h4><a href=\"%link%\">Lien de vérification email</a></h4>"
    },
    "verificationLinkToken" : "%link%",
    "verificationLink" : "https://localhost:8443/#/registration/"
},

As suggested by the code block, it includes default registration email messages in English (en) and French (fr). The verificationLink sent with the email takes users to the IDM self-registration URL.

As noted in "Managing User Self-Registration Over REST", you can make these changes over the following endpoint URI: /openidm/config/selfservice/registration

If desired, you can also configure self-service registration emails through the Admin UI. Select Configure > User Registration. If needed, activate the Enable User Registration Option. Under the Options tab, in the Email Validation box, select the  icon. The Configure Validation Email pop-up should appear.

When you use the Admin UI to customize self-registration emails, you can review the changes in the selfservice-registration.json file.

5.4.2.2. Configuring Emails for Password Reset

To configure emails for password reset, you can add the following code block to the selfservice-reset.json file:

{
    "name" : "emailValidation",
    "identityEmailField" : "mail",
    "emailServiceUrl" : "external/email",
    "emailServiceParameters" : {
        "waitForCompletion" : false
    },
    "from" : "info@example.com",
    "subject" : "Reset password email",
    "mimeType" : "text/html",
    "subjectTranslations" : {
        "en" : "Reset your password",
        "fr" : "Réinitialisez votre mot de passe"
    },
    "messageTranslations" : {
        "en" : "<h3>Click to reset your password</h3><h4><a href=\"%link%\">Password reset link</a></h4>",
        "fr" : "<h3>Cliquez pour réinitialiser votre mot de passe</h3><h4><a href=\"%link%\">Mot de passe lien de réinitialisation</a></h4>"
    },
    "verificationLinkToken" : "%link%",
    "verificationLink" : "https://localhost:8443/#/passwordreset/"
},

As suggested by the code block, it includes default password reset email messages in English (en) and French (fr). The verificationLink sent with the email takes users to the IDM password reset URL.

As noted in "Managing User Password Reset Over REST", you can make these changes over the following endpoint URI: /openidm/config/selfservice/reset

If desired, you can also configure self-service password reset emails through the Admin UI. Select Configure > Password Reset. If needed, activate the Enable Password Reset option, and in the Email Validation box, select the  icon. The Configure Validation Email pop-up should appear.

When you use the Admin UI to customize password reset emails, you can review the changes in the selfservice-reset.json file.

5.4.2.3. Configuring Emails for Forgotten Username

To configure emails for forgotten username functionality, you can add the following code block to the selfservice-username.json file:

{
    "name" : "emailUsername",
    "emailServiceUrl" : "external/email",
    "emailServiceParameters" : {
        "waitForCompletion" : false
    },
    "from" : "info@example.com",
    "mimeType" : "text/html",
    "subjectTranslations" : {
        "en" : "Account Information - username"
    },
    "messageTranslations" : {
        "en" : "<h3>Username is:</h3><br />%username%"
    },
    "usernameToken" : "%username%"
},

As suggested by the code block, it includes default email messages in English (en), with a usernameToken that includes the actual username in the message.

As noted in "Managing Forgotten Username Retrieval Over REST", you can make these changes over the following endpoint URI: /openidm/config/selfservice/username

If desired, you can also configure forgotten username retrieval emails through the Admin UI. Select Configure > Forgotten Username. If needed, activate the Enable Forgotten Username Retrieval option, and in the Email Username box, select the  icon. The Configure Email Username pop-up should appear.

When you use the Admin UI to customize forgotten username retrieval emails, you can review the changes in the selfservice-username.json file.

5.4.3. Configuring Security Questions

IDM uses security questions to enable users to verify their identities. Security questions are sometimes referred to as Knowledge-Based Authentication (KBA). When an administrator has configured security questions, self-service users can choose from the questions set in the selfservice.kba.json file, as described in "Security Questions and Self-Registration".

You can prompt users to update their security questions. As these questions may be subject to risks, you can set up IDM to prompt the user to update and/or add security questions, courtesy of the selfservice-kbaUpdate.json file. For more information, see "Prompting to Update Security Questions".

5.4.3.1. Security Questions and Self-Registration

The user is prompted to enter answers to pre-configured or custom security questions, during the self-registration process. These questions are used to help verify an identity when a user requests a password reset. These questions do not apply for users who need username retrieval.

The template version of the selfservice.kba.json file is straightforward; it includes minimumAnswersToDefine, which requires a user to define at least that many security questions and answers, along with minimumAnswersToVerify, which requires a user to answer (in this case) at least one of those questions when asking for a password reset.

{
      "kbaPropertyName" : "kbaInfo",
      "minimumAnswersToDefine": 2,
      "minimumAnswersToVerify": 1,
      "questions" : {
          "1" : {
              "en" : "What's your favorite color?",
              "en_GB" : "What is your favourite colour?",
              "fr" : "Quelle est votre couleur préférée?"
          },
          "2" : {
              "en" : "Who was your first employer?"
          }
      }
}

To configure account lockout based on the security questions, add the following lines to your selfservice.kba.json file:

"numberOfAttemptsAllowed" : 2,
"kbaAttemptsPropertyName" : "lockoutproperty"

With this configuration, users who make more than two mistakes in answering security questions are prevented from using the password reset facility until the kbaAttemptsPropertyName field is removed or the number is set to a value lower than the numberOfAttemptsAllowed. The number of mistakes is recorded in whatever property you assign to kbaAttemptsPropertyName (lockoutproperty in this example).

If you are using an explicit mapping for managed user objects, you must add this lockoutproperty to your database schema and to the objectToColumn mapping in your repository configuration file.

For example, the previous configuration would require the following addition to your conf/repo.jdbc.json file:

"explicitMapping" : {
     "managed/user": {
     "table" : "managed_user",
     "objectToColumn": {
         ...
         "lockoutproperty" : "lockoutproperty",
         ...
}

You would also need to create a lockoutproperty column in the openidm.managed_user table, with datatype VARCHAR. For example:

mysql> show columns from managed_user;

+----------------------+--------------+------+-----+---------+-------+
| Field                | Type         | Null | Key | Default | Extra |
+----------------------+--------------+------+-----+---------+-------+
| objectid             | varchar(38)  | NO   | PRI | NULL    |       |
| rev                  | varchar(38)  | NO   |     | NULL    |       |
| username             | varchar(255) | YES  | UNI | NULL    |       |
| password             | varchar(511) | YES  |     | NULL    |       |
| accountstatus        | varchar(255) | YES  | MUL | NULL    |       |
| postalcode           | varchar(255) | YES  |     | NULL    |       |
| lockoutproperty      | varchar(255) | YES  |     | NULL    |       |
...

Warning

Once you deploy these IDM self-service features, you should never remove or change existing security questions, as users may have included those questions during the user self-registration process.

You may change or add the questions of your choice, in JSON format. If you're configuring user self-registration, you can also edit these questions through the Admin UI. In fact, the Admin UI allows you to localize these questions in different languages.

In the Admin UI, select Configure > User Registration. Enable User Registration, select Options > Security Questions and select the edit icon to add, edit, or delete these questions.

Any change you make to the security questions under User Registration also applies to Password Reset. To confirm, select Configure > Password Reset. Enable Password Reset, and edit the Security Questions. You'll see the same questions there.

In addition, individual users can configure their own questions and answers, in two ways:

During the user self-registration process
From the End User UI, in the user's Profile section (), under Account Security > Security Questions

Important

A managed user's security questions can only be changed through the selfservice/userupdate endpoint, or when the user is created through selfservice/registration and provides their own questions. You cannot manipulate a user's kbaInfo property directly through the managed/user endpoint.

When the answers to security questions are hashed, they are converted to lowercase. If you intend to pre-populate answers with a mapping, the openidm.hash function or the secureHash mechanism, you must provide the string in lowercase to match the value of the answer.

5.4.3.2. Prompting to Update Security Questions

IDM supports a requirement for users to update their security questions, in the selfservice-kbaUpdate.json file. You can find this file in the following directory: /path/to/openidm/samples/example-configurations/self-service.

Alternatively, if you set up security questions from the Admin UI, you can navigate to Configure > Security Questions > Update Form, and select Enable Update. This action adds a selfservice-kbaUpdate.json file to your project's conf/ subdirectory.

For more information on this configuration file, see "Conditional User Stage" in the Self-Service REST API Reference.

5.4.4. Adding Custom Policies for Self-Registration and Password Reset

IDM has specific policies for usernames and passwords, in the policy.js file in the openidm/bin/defaults/script directory. To enforce these policies for user self-registration and password reset, add the following objects to your conf/policy.json file, under resources:

{
    "resource" : "selfservice/registration",
    "calculatedProperties" : {
        "type" : "text/javascript",
        "source" : "require('selfServicePolicies').getRegistrationProperties()"
    }
},
{
    "resource" : "selfservice/reset",
    "calculatedProperties" : {
        "type" : "text/javascript",
        "source" : "require('selfServicePolicies').getResetProperties()"
    }
},

For more information on IDM policies, see "Using Policies to Validate Data".

5.5. Configuring Notification Emails

When you configure the outbound email service as described in "Configuring Outbound Email", IDM may use that service to notify users of significant events, primarily related to user self-service. For specifics, see the following table for related notification emails:

Configuring Notification Emails

Situation	Configuration File	Details
When a user is successfully registered	`emailTemplate-welcome.json`	See "User Self-Registration Email Template"
When a user asks for their forgotten username	`selfservice-username.json`	See "Configuring Emails for Forgotten Username"
When a user registers using self-service and needs to verify their email address	`selfservice-registration.json`	See "Configuring Emails for Self-Service Registration"
When a user asks for a password reset	`selfservice-reset.json`	See "Configuring Emails for Password Reset"

Each email template can specify an email address to use in the From field. If this field is left blank, IDM will default to the address specified in Email Settings.

Note

Email templates utilize Handlebar expressions to reference object data dynamically. For example, to reference the userName of an object:

{{object.userName}}

Note

Some email providers, such as Google, will override the From address you specify in the templates, and instead use the address used to authenticate with the SMTP server. The email address specified in the template may still be present, but in an email header hidden from most users, such as X-Google-Original-From.

5.5.1. User Self-Registration Email Template

When a new user registers through the IDM self-registration interface, and if you've configured email per "Configuring Outbound Email", that user will get a welcome email as configured in the emailTemplate-welcome.json file:

{
    "enabled" : true,
    "from" : "",
    "subject" : {
        "en" : "Your account has been created"
    },
    "message" : {
        "en" : "<html><body><p>Welcome to OpenIDM. Your username is '{{object.userName}}'.</p></body></html>"
    },
    "defaultLocale" : "en"
}

You may want to make the following changes:

Add an email address to the from property, perhaps an email address for your organization's systems administrator.
Set up appropriate locale(s).
Modify the subject line as needed.
Include a welcome message appropriate to your organization.

5.5.2. Managing Email Templates from the Admin UI

The Admin UI includes tools that can help you customize email messages related to two administrative tasks: creating users and resetting passwords.

To configure these messages from the Admin UI, select Configure > Email Settings > Templates, where you'll see the following option:

Welcome: To configure emails that notify a user of a newly created account, as defined in emailTemplate-welcome.json.
Note
IDM sends the same welcome email to users created with a REST call. For an example of user creation over REST, see "Working with Managed Users".

5.7. Account Claiming: Links Between Accounts and Social Identity Providers

If your users have one or more social identity providers, they can link them to the same IDM user account. This section assumes that you have configured one or more of the social identity providers described in "Configuring Social Identity Providers".

Conversely, you should not be able to link more than one IDM account with a single social identity provider account.

When social accounts are associated with an IDM account, IDM creates a managed record, which uses the name of the social identity provider name as the managed object type, and the subject is used as the _id. This combination has a unique constraint; if you try to associate a second IDM account with the same social account, IDM detects a conflict, which prevents the association.

The default process uses the email address associated with the account. Once you've configured social identity providers, you can see this filter in the selfservice-socialUserClaim.json file:

{
    "name" : "socialUserClaim",
    "identityServiceUrl" : "managed/user",
    "claimQueryFilter" : "/mail eq \"{{mail}}\""
},

You can modify the claimQueryFilter to a different property such as telephoneNumber. Make sure that property is:

Set to "required" in the managed.json file; the default list for managed users is shown here:
```
"required" : [
    "userName",
    "givenName",
    "sn",
    "mail"
]
```
Unique; for example, if multiple users have the same telephone number, IDM responds with error messages shown in "When Multiple Users have the Same Email Address".

Based on the claimQueryFilter, what IDM does depends on the following scenarios:

"When the Email Address is New"
"When One User has the Same Email Address"
"When Multiple Users have the Same Email Address"

5.7.2. When One User has the Same Email Address

When you register with a social identity provider, IDM checks the email address of that account against the managed user data store.

If that email address exists for one IDM managed user, IDM gives you a chance to link to that account, with the following message:

We found an existing account with the same email address
<substitute email address>. To continue, please enter your password to
link accounts.

In the text box, users are expected to enter their IDM account password.

5.7.3. When Multiple Users have the Same Email Address

When you register with a social identity provider, IDM checks the email address of that account against the managed user data store.

If that email address exists for multiple IDM managed users, IDM denies the login attempt, with the following error message:

Unable to authenticate using login provider

IDM denies further attempts to login with that account with the following message:

Forbidden request error

5.7.5. Reviewing Linked Accounts as an Administrator

You can review social identity accounts linked to an IDM account, from the Admin UI and from the command line. You can disable or delete social identity provider information for a specific user from the command line, as described in "Reviewing Linked Accounts Over REST".

When you activate a social identity provider, IDM creates a new managed object for that provider. You can review that managed object in the managed.json file, as well as in the Admin UI, by selecting Configure > Managed Objects.

The information shown is reflected in the schema in the identityProvider-providername.json file for the selected provider.

Note

Do not edit social identity provider profile information through IDM. Any changes that you make won't be synchronized with that provider.

5.7.5.1. Reviewing Linked Accounts Over REST

To identify linked social identity provider accounts for a user, you must specifically add the idps field to your user query. For example, the following query shows bjensen's linked social identity information:

$ curl \
--header "X-OpenIDM-Username:openidm-admin" \
--header "X-OpenIDM-Password:openidm-admin" \
--request GET \
"http://localhost:8080/openidm/managed/user?_queryFilter=userName+eq+'bjensen'&_fields=idps"
{
  "result": [
    {
      "_id": "bjensen",
      "_rev": "000000003062291c",
      "idps": [
        {
          "_ref": "managed/google/108246554379618660085",
          "_refResourceCollection": "managed/google",
          "_refResourceId": "108246554379618660085",
          "_refProperties": {
            "_id": "ba01a4c3-8a7f-468b-8b09-95f5d34f05ea",
            "_rev": "0000000098619792"
          }
        }
      ]
    }
  ],
...
}

For more information about a specific social identity provider, query the identity relationship using the referred resource ID. The following example shows the information collected from the Google provider for bjensen:

$ curl \
--header "X-OpenIDM-Username:openidm-admin" \
--header "X-OpenIDM-Password:openidm-admin" \
--request GET \
"http://localhost:8080/openidm/managed/google/108246554379618660085"
    {
  "_id": "108246554379618660085",
  "_rev": "00000000e5cace4d",
  "sub": "108246554379618660085",
  "name": "Barbara Jensen",
  "given_name": "Barbara",
  "family_name": "Jensen",
  "picture": "https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/photo.jpg",
  "email": "babs.jensen@gmail.com",
  "email_verified": true,
  "locale": "en",
  "_meta": {
    "subject": "108246554379618660085",
    "scope": [
      "openid",
      "profile",
      "email"
    ],
    "dateCollected": "2018-03-08T02:07:27.882"
  }
}

When a user disables logins through one specific social identity provider in the End User UI, that sets "enabled" : false in the data for that provider. However, that user's social identity information is preserved.

Alternatively, you can use a REST call to disable logins to a specific social identity provider. The following REST call removes a user's ability to log in through Google:

$ curl  \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-type: application/json" \
--request POST \
"http://localhost:8080/openidm/managed/user/9dce06d4-2fc1-4830-a92b-bd35c2f6bcbb?_action=unbind&provider=google"

In this case, the REST call deletes all Google social identity provider information for that user.

5.8. Customizing the End User UI

For information on customizing the IDM End User UI, see the following ForgeRock Git repository: ForgeRock/end-user-ui: Identity Management (End User).

5.9. Setting Up User-Managed Access (UMA), Trusted Devices, and Privacy

In the following sections, you'll refer to AM documentation to set up User-Managed Access (UMA), Trusted Devices, and Privacy for your end users. These options require IDM working with AM. For a working implementation of both products, see "Integrating IDM With the ForgeRock Identity Platform" in the Samples Guide.

Tip

If you want to configure both UMA and Trusted Devices in AM, configure these features in the following order, as described in the sections that follow:

Set up UMA
Use AM to configure UMA-based resources
Configure Trusted Devices

If you have to reconfigure UMA at a later date, you'll have to first disable Trusted Devices. You can enable Trusted Devices, once again, afterwards.

5.9.1. User Managed Access in IDM

When you integrate IDM with ForgeRock Access Management (AM) you can take advantage of AM's abilities to work with User-Managed Access (UMA) workflows. AM and IDM use a common installation of ForgeRock Directory Services (DS) to store user data.

For instructions on how to set up this integration, see "Integrating IDM With the ForgeRock Identity Platform" in the Samples Guide. Be sure to set up DS as the AM user data store. Once you've set up integration through that sample, you can configure AM to work with UMA. For more information, see the AM User-Managed Access (UMA) Guide. From that guide, you need to know how to:

Set up AM as an authorization server.
Register resource sets and client agents in AM.
Help users manage access to their protected resources through AM.

Pay close attention to the AM documentation on configuring an OAuth 2.0 UMA Client and UMA Server. You may need to add specific grant types to each OAuth 2.0 application.

If you follow AM documentation to set up UMA, you'll see instructions on setting up users as resource owners and requesting parties. If you set up users in AM, be sure to include the following information for each user:

First Name
Last Name
Email Address

AM writes this information to the common DS user data store. You can then synchronize these users to the IDM Managed User data store, with a command such as:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request POST \
"http://localhost:8080/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"

After your users have shared UMA resources from the AM Self-Service UI, they can view what they've done and shared in the IDM End User UI, by selecting the Sharing icon ().

5.9.2. Configuring Trusted Devices on IDM

You can configure Trusted Devices through AM, using the following sections of the AM Authentication and Single Sign-On Guide: Configuring Authentication Chains and Device ID (Match) Authentication Module. You can use the techniques described in these sections to set up different authentication chains for administrators and regular users.

You can create an AM authentication chain with the following modules and criteria:

AM Authentication Chain Modules

Module	Criteria
Data Store	Requisite
Device Id (Match)	Sufficient
Device Id (Save)	Required

This is different from the authentication chain described in the following section of the AM Authentication and Single Sign-On Guide: Device ID (Match) Authentication Module, as it does not include the HOTP Authentication Module

When trusted devices are enabled, users are presented with a prompt on a screen with the following question "Add to Trusted Devices?". If the user selects Yes, that user is prompted for the name of the Trusted Device.

Note

In default configurations, trusted devices are not saved for the AM amadmin account. However, you can set up different AM administrative users as described in the following section of the AM Setup and Maintenance Guide: Delegating Realm Administration Privileges.

You can set up different authentication chains for regular and administrative users, as described in the AM Authentication and Single Sign-On Guide.

5.10. Privacy: My Account Information in the End User UI

While end users can find their information in the End User UI, you can use REST calls and audit logs to find the same information. However, some of the information in this section, such as Trusted Devices and UMA-based sharing, may require integration with ForgeRock Directory Services (DS) or ForgeRock Access Management (AM), as described in "Integrating IDM With the ForgeRock Identity Platform" in the Samples Guide.

What the enduser sees upon log into the End User UI depends on which features are configured.

When you log into the End User UI, you'll be taken to the IDM Profile page (), with at least the following information under settings:
- Account Security
- Preferences
- Account Controls
You'll see at least a Dashboard () and a Profile icon () in the left hand pane. If you've configured UMA as described in "Setting Up User-Managed Access (UMA), Trusted Devices, and Privacy", you'll also see a Sharing icon (). To see descriptions with each icon, select the Menu icon ():
Icons in the End User UI

When you add features described earlier in this chapter, you'll see additional options in the profile page, as described in the following table:

Information in the End User Profile Page

Title	Description	Section
Account Security	Password and Security Questions, default	"Configuring Security Questions"
Social Sign-in	Links to Social Identity Provider Accounts	"Configuring Social Identity Providers"
Authorized Applications	Applications that can access an account	"Authorized Applications"
Trusted Devices	Based on system and browser	"Configuring Trusted Devices on IDM"
Preferences	Default	"Configuring End User Preferences"
Personal Data Sharing	Provides control	"Personal Data Sharing"
Account Controls	Includes collected account data (Default)	"Account Controls"

5.10.1. Personal Information

End users can find their account details in the End User UI, by selecting the Profile icon () > Edit Personal Info. By default, user information includes at least the following properties: Username, First Name, Last Name, and Email Address.

Each user can modify this information as needed, as long as "userEditable" : true for the property in your project's managed.json file. For more information, see "Creating and Modifying Managed Object Types".

5.10.2. Sign-In & Security

Under this tab, end users can change their passwords. They can also add, delete, or modify security questions, and link or unlink supported social identity accounts. For more information, see "Configuring Security Questions" and "Configuring Social Identity Providers".

5.10.3. Preferences

The preferences tab allows end users to modify marketing preferences, as defined in the managed.json file, and the Managed Object User property Preferences tab. For more information, see "Configuring End User Preferences".

End users can toggle marketing preferences. When IDM includes a mapping to a marketing database, these preferences are sent to that database. This can help administrators use IDM to target marketing campaigns and identify potential leads.

5.10.4. Trusted Devices

A trusted device uses AM's Device ID (Match) and Device ID (Save) authentication modules, as described in the AM Authentication and Single Sign-On Guide. When such modules are configured (see "Configuring Trusted Devices on IDM"), end users can add such devices the first time they log in from a new location.

During the login process, when an end user selects Log In, that user is prompted for a Trusted Device Name. Users see their added devices under the Trusted Devices tab.

A trusted device entry is paired with a specific browser on a specific system. The next time the same end user logs in from the same browser and system, in the same location, that user should not be prompted to enter a trusted device again.

End users can remove their trusted devices from the tab.

5.10.5. Authorized Applications

The Authorized Applications section is specific to end users as OAuth 2 clients. and reflects the corresponding section of the AM Self-Service dashboard, as described in the following section of the AM OAuth 2.0 Guide on: User Consent Management.

Note

The one exception is when IDM is configured to work with AM as described in "Integrating IDM With the ForgeRock Identity Platform" in the Samples Guide. You'll see an "Authorized Application" in this case, with a name such as openidm. While end users can select Remove, to try to delete something like openidm as an "Authorized Application", openidm will reappear the next time the user logs into the End User UI, in the "full stack" configuration.

5.10.6. Personal Data Sharing

This section assumes that as an administrator, you've followed the instructions in "Configuring Privacy & Consent" to enable Privacy & Consent.

End users who see a Personal Data Sharing section have control of whether personal data is shared with an external database, such as one that might contain marketing leads.

The managed object record for end users who consent to sharing such data is shown in REST output and the audit activity log as one consentedMappings object:

"consentedMappings" : [ {
   "mapping" : "managedUser_systemLdapAccounts",
   "consentDate" : "2017-08-25T18:13:08.358Z"
}

If enabled, end users will see a Personal Data Sharing section in their profiles. If they select the Allow link, they can see the data properties that would be shared with the external database.

This option supports the right to restrict processing of user personal data.

5.10.7. Account Controls

The Account Controls section allows end users to download their account data (in JSON format), and to delete their accounts from IDM.

Important

When end users delete their accounts, the change is propagated to external systems by implicit sync. However, it is then up to the administrator of the external system to make sure that any additional user information is purged from that system.

To modify the message associated with the Delete Your Account option, refer to the following section of the public ForgeRock Identity Management (End User) Git repository on Translations. You'll find content GitHub "Customizing the End User UI", find the translation.json file, search for the deleteAccount code block, and edit text information as desired.

The options shown in this section can help meet requirements related to data portability, as well as the right to be forgotten.

5.11. Progressive Profile Completion

Progressive profile completion can help you build relationships with end users. Once users have established a history in their accounts, you can collect more information based on customizable criteria. Ideally, you should be able to use that information to create better experiences for those end users.

After activating "User Self-Registration", users need only the following information to register:

User name
First name
Last name
Email address

Progressive profile completion allows you to collect additional information, limited by the attributes defined in the managed.json file for your project.

In the following sections, you'll examine how you use progressive profile completion to ask or require more information from users. You're limited only by the properties defined in your project's managed.json file.

For more information, see "Setting Up a Progressive Profile Completion Form With selfservice-profile.json".

5.11.1. Setting Up a Progressive Profile Completion Form With `selfservice-profile.json`

If you're testing progressive profile completion, you can start from the selfservice-profile.json file in the following directory: openidm/samples/example-configurations/self-service/

Copy this file to your project's conf/ subdirectory and start IDM. After the conditions shown in this configuration file are met, end users will see a form prompting them to add a telephone number.

{
    "stageConfigs" : [
        {
            "name" : "conditionaluser",
            "identityServiceUrl" : "managed/user",
            "condition" : {
                "type" : "loginCount",
                "interval" : "at",
                "amount" : 25
            },
            "evaluateConditionOnField" : "user",
            "onConditionTrue" : {
                "name" : "attributecollection",
                "identityServiceUrl" : "managed/user",
                "uiConfig" : {
                    "displayName" : "Add your telephone number",
                    "purpose" : "Help us verify your identity",
                    "buttonText" : "Save"
                },
                "attributes" : [
                    {
                        "name" : "telephoneNumber",
                        "isRequired" : true
                    }
                ]
            }
        }
    ]
}

The following table includes a detailed list of each property shown in this file:

The selfservice-profile.json File

Property	Description
`stageConfigs`	Progressive profile completion is a stage user self-service
`name`	`conditionaluser` sets up conditions for end users
`identityServiceUrl`	`managed/user` specifies IDM Managed Users
`condition`	Condition when to display the form
`type`	Type of `condition`; for a list of conditions, see "Standard Progressive Profile Completion Conditions"
`evaluateConditionOnField`	IDM evaluates the condition, per `user`
`onConditionTrue`	Present the form with the following properties
`name`	Data that you collect with the form is an `attributeCollection`
`uiConfig`	Labels to include the in the form seen by the end user
`displayName`	Form title
`purpose`	Form explanation
`buttonText`	Customizable
`attributes`	Attribute name from `managed.json`
`isRequired`	If an end user has to enter data to complete a connection to IDM

5.11.1.1. Standard Progressive Profile Completion Conditions

You can set up a number of different conditions for when users are prompted to add information to their profiles. IDM includes the following pre-defined criteria:

loginCount: May specify at or every number of logins, as defined by the following value: amount.
Note
End users can bypass progressive profile completion screens, when configured with a loginCount. Every time they see such a request, they can open a new browser window to bypass that request, and log into the End User UI. They won't have to provide the information requested, even if you've set the attribute as Required under the Attributes tab.
timeSince: May specify a time since the user was created, the createDate, in years, months, weeks, days, hours, and minutes.
profileCompleteness: Based on the number of items completed by the user from managed.json, in percent, as defined by percentLessThan; for more information, see "Defining Overall Profile Completion".
propertyValue: Based on the value of a specific user entry, such as postalAddress, which can be defined by "Presence Expressions".

5.11.1.2. Custom Progressive Profile Conditions

You can also set up custom conditions with query filters and scripts. These criteria may deviate from standard query filters described in "Constructing Queries" and standard scripted conditions described in "Adding Conditional Policy Definitions".

A query filter (queryFilter), as defined in "Defining and Calling Queries". For example, the following query filter checks user information for users who live in the city of Portland:
```
"condition" : {
   "type" : "queryFilter",
   "filter" : "/city eq \"Portland\""
},
```
In addition, you can also reference metadata, as described in "Tracking Metadata For Managed Objects". For example, the following query filter searches for users with:
- A loginCount greater than or equal to five
- Does not have a telephone number
```
"filter" : "(/_meta/loginCount ge 5 and !(/telephoneNumber pr))"
      
```
Warning
If you include _meta in query filters, the Admin UI will not work for the subject progressive profiling form.
While it's technically possible to include a number like 5 in the Admin UI with the query filter, IDM would write the number as a string to the selfservice-profile.json file. You'd still have to change that number directly in the noted file.
An inline script (scripted), or a reference to a script file; IDM works with scripts written in either JavaScript or Groovy. For example, you could set up a script here:
```
"condition" : {
   "type" : "scripted",
   "script" : {
       "type" : "text/javascript",
       "globals" : { },
       "source" : "<some script code>"
},
```
Alternatively, you could point to some JavaScript or Groovy file:
```
"condition" : {
   "type" : "scripted",
   "script" : {
       "type" : "text/javascript",
       "globals" : { },
       "file" : "path/to/someScript.js"
},
```
For the script code, you'll need to reference fields directly, and not by object.field. For example, the following code would test for the presence of a telephone number:
```
typeof telephoneNumber === 'undefined' || telephoneNumber === ''
      
```
While you can also reference metadata for scripts, you can't check for all available fields, as there is no outer object field. However, you can refer to fields that are part of the user object.

5.11.1.3. Defining Overall Profile Completion

A user profile is based on every item in managed.json where both viewable and userEditable are set to true. Every qualifying item has equal weight.

So if there are 20 qualifying items in managed.json, a user who has entries for 10 items has a Profile completion percentage of 50.

5.11.2. The `auth.profile.json` File

In some circumstances, you may wish to create a temporary role for users who are in the middle of progressive profile completion, such as if you wish to enable access to an endpoint, while prohibiting access to other parts of the End User UI (as well as the rest of IDM).

To do this, you may optionally define an authenticationRole in auth.profile.json, which you can use as a role assignment in access.js or elsewhere.

For example, if you wished to assign access to a custom endpoint for users who have incomplete profiles, you could modify auth.profile.json to include a custom authenticationRole called incomplete-profile:

{
  "profileEnhancementProcesses": [
    "selfservice/termsAndConditions",
    "selfservice/kbaUpdate",
    "selfservice/profile"
  ],
  "authenticationRole": "incomplete-profile",
  "authorizationRole": "internal/role/openidm-authorized"
}

You could then give access to this role to your custom endpoint in access.js:

{
    "pattern"    : "endpoint/extra-steps",
    "roles"      : "incomplete-profile",
    "methods"    : "read",
    ...
},

Access for these and other roles is governed by the access.js script. For more information, see "Understanding the Access Configuration Script (access.js)".

The role specified in authenticationRole can be an existing role, or it can be a placeholder string. If it is a placeholder, it will not function as a real role, but can still be used for access in access.js, and will appear in access and authentication log files in the openidim/audit directory.

5.11.3. Progressive Profile Completion and Metadata

Progressive profile completion requires that you track object metadata, as described in "Tracking Metadata For Managed Objects". Read that section to configure tracking of the following data:

createDate: The date the user was created; used in the onCreateUser.js script in the openidm/bin/defaults/script directory.
loginCount: The number of logins, by user.
stagesCompleted: Used to track progressive profile forms, and whether they've been completed, by user.

User acceptance of Terms & Conditions is tracked by default (see "Adding Terms & Conditions").

5.11.4. Configuring Progressive Profile Completion over REST

You can manage the progressive profile completion configuration through the following endpoint: openidm/config/selfservice/profile. To review your current configuration, run the following command:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/config/selfservice/profile"

Unless you've disabled file writes per "Disabling Automatic Configuration Updates", the output will match the contents of your project's selfservice-profile.json file.

In a similar fashion, you can update this configuration by including the desired contents of the file:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request PUT \
--data '{
    "stageConfigs" : [
        {
            "name" : "conditionaluser",
            "identityServiceUrl" : "managed/user",
            "condition" : {
                "type" : "loginCount",
                "interval" : "at",
                "amount" : 25
            },
            "evaluateConditionOnField" : "user",
            "onConditionTrue" : {
                "name" : "attributecollection",
                "identityServiceUrl" : "managed/user",
                "uiConfig" : {
                    "displayName" : "Add your telephone number",
                    "purpose" : "Help us verify your identity",
                    "buttonText" : "Save"
                },
                "attributes" : [
                    {
                        "name" : "telephoneNumber",
                        "isRequired" : true
                    }
                ]
            }
        }
    ]
}' \
"http://localhost:8080/openidm/config/selfservice/profile"

5.11.5. Configuring Progressive Profile Completion Through the Admin UI

The UI is straightforward; in the Admin UI, when you select Configure > Progressive Profile, you'll add a New Form, with:

Attributes defined in managed.json
Conditions that may be based on a query filter, a script, or pre-defined criteria such as number of logins.

What you configure in the Admin UI is written to the selfservice-profile.json file. The information under the following Admin UI Progressive Profile Completion page tabs is written to the following code blocks in that file:

Details: uiConfig
Display Condition: condition
Attributes: attributes

Warning

When you use the UI, you must specify a property under the Attributes tab. Otherwise, IDM won't display a Progressive Profile form. To specify a property, select Configure > Progressive Profile. Select a Progressive Profile form > Attributes tab > Add a Property. Be sure to select an Attribute Name based on user properties configured in the managed.json file.

5.12. Adding Terms & Conditions

Many organizations require their users to accept Terms & Conditions. When you activate this option for user self-registration, IDM includes a link to Terms & Conditions as part of the self-registration process.

You can also force existing IDM users to accept new Terms & Conditions when they log into the End User UI through the selfservice-termsAndConditions.json file described in "Terms & Conditions Configuration Files".

5.12.1. Terms & Conditions Configuration Files

If you want to try the IDM implementation of Terms & Conditions, look at these files from the openidm/samples/example-configurations/self-service directory:

selfservice.terms.json
selfservice-termsAndConditions.json

Copy these files to your project directory and start IDM. To see how these Terms & Conditions appear to end users, create a regular user. Log into the End User UI as that user. You will be prompted to accept default Terms & Conditions.

The Terms & Conditions that you see in the End User UI come from the selfservice.terms.json file:

{
  "versions": [
    {
      "version": "2.0",
      "termsTranslations": {
        "en": "Some 2.0 fake terms",
        "fr": "More 2.0 fake terms"
      },
      "createDate": "2017-12-19T03:54:16.865Z"
    },
    {
      "version": "1.5",
      "termsTranslations": {
        "en": "Some 1.5 fake terms",
        "fr": "More 1.5 fake terms"
      },
      "createDate": "2017-11-20T04:20:11.320Z"
    }
  ],
  "active": "1.5",
  "uiConfig" : {
    "displayName" : "We've updated our terms",
    "purpose" : "You must accept the updated terms in order to proceed.",
    "buttonText" : "Accept"
  }
}

Note

IDM does not support <form> elements or <script> tags in Terms & Conditions text.

Substitute Terms & Conditions content that meet the requirements of your legal authorities.

As suggested by this file, you can set up different versions of Terms & Conditions in multiple languages. What is seen by end users is driven by the active version.

For details, see the following table:

The selfservice.terms.json File

Property	Description
`version`	Specifies a version number
`termsTranslations`	Supports Terms & Conditions in different languages
`createDate`	Creation date
`active`	Specifies the version of Terms & Conditions shown to users; must match an existing `version`
`displayName`	The title of the Terms & Conditions page, as seen by end users
`purpose`	Help text shown below the `displayName`
`buttonText`	Button text shown to the end user for acceptance

The other Terms & Conditions configuration file is selfservice-termsAndConditions.json. If it exists, end users must accept the specified Terms & Conditions before logging into IDM. As shown here, this applies Terms & Conditions to the managed/user store.

{
    "stageConfigs" : [
        {
            "name" : "conditionaluser",
            "identityServiceUrl" : "managed/user",
            "condition" : {
                "type" : "terms"
            },
            "evaluateConditionOnField" : "user",
            "onConditionTrue" : {
                "name" : "termsAndConditions"
            }
        },
        {
            "name" : "patchObject",
            "identityServiceUrl" : "managed/user"
        }
    ]
}

When a user accepts Terms & Conditions, IDM records relevant information in the _meta data for that user, as described in "Identifying When a User Accepts Terms & Conditions".

You can set up user self-registration to require acceptance of Terms & Conditions as described in "User Self-Registration".

Note

If you've set up Terms & Conditions in multiple languages, what your end users see depends on the default language set in the browser, based on ISO-639 language codes:

First, IDM looks for the active version, as defined in the selfservice.terms.json file.

If the default language in the browser matches one of the Terms & Conditions languages that you've configured, that's what the end user will see.
If the default language in the browser does not match any Terms & Conditions locales, IDM looks for:
- The en locale.
- If there is no en locale, IDM uses the first locale shown for the active version.

5.12.2. Updating Terms & Conditions over REST

You can manage the configuration for Terms & Conditions over the following endpoints:

openidm/config/selfservice.terms
openidm/config/selfservice/termsAndConditions

For example, the following command would replace the value of buttonText:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request PATCH \
--data '[ {
   "operation" : "replace",
   "field" : "uiConfig/buttonText",
   "value" : "OK"
} ]' \
"http://localhost:8080/openidm/config/selfservice.terms"

5.12.3. Identifying When a User Accepts Terms & Conditions

You can identify when a user accepts Terms & Conditions, as well as the associated version. To do so, take the following steps:

If needed, find identifying information for all managed users:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/managed/user?_queryId=query-all"

Pick a desired user, and use REST to get that user's information. This example illustrates how a user with a userName of kvaughan has already accepted a specific version of Terms & Conditions:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/managed/user?_queryFilter=userName+eq+'kvaughan'&_fields=*,/_meta/*"
{
  "result": [
    {
      ...
      "userName": "kvaughan",
      ...
        "termsAccepted": {
          "acceptDate": "2018-04-12T22:55:33.370Z",
          "termsVersion": "2.0"
        },
        "createDate": "2018-04-12T22:55:33.395Z",
        "lastChanged": {
          "date": "2018-04-12T22:55:33.395Z"
        },
        "loginCount": 1,
        "_rev": "00000000776f8be1",
        "_id": "69124007-05ec-46e1-a8a8-ecc3d94db124"
      }
    }
  ],
  ...
}

5.12.4. Configuring Terms & Conditions in the Admin UI

From the Admin UI, select Configure > Terms & Conditions. You can then create a new version, which prompts you to configure the following:

Version number (must be unique).
If there are existing Terms & Conditions, you'll see a Make active switch for the new Terms & Conditions.
Locale, in ISO-639 format.
Terms & Conditions, in the specified language locales. You can set up Terms & Conditions in text and/or basic HTML.

Once you've added Terms & Conditions in all desired locales, select Save to save them in the selfservice.terms.json file.

Note

The Admin UI does not allow you to delete existing Terms & Conditions.

Once you have at least one set of Terms & Conditions, you should see a Settings tab, where you can:

Require acceptance; the next time any end user logs into IDM, that user will see a copy of your Terms & Conditions, with the Header, Description, and Button Text.
To make sure new users have to accept these Terms & Conditions, select Configure > User Registration in the Admin UI. Enable Terms & Conditions under the Options tab. For more information, see "User Self-Registration". Users who self-register will see the following message, with a link to those Terms & Conditions:
```
By creating an account, you agree to the Terms & Conditions
```

These changes are recorded in _meta data for each user and can be retrieved through REST calls described in "Identifying When a User Accepts Terms & Conditions".

5.13. Localizing the End User UI

The End User UI is configured in US English. For more information on how to localize and modify the messages in the End User UI, see the following section of the ForgeRock Identity Management (End User) repository on Translations and Text.

5.14. Tokens and User Self-Service

Many processes within user self-service involve multiple stages, such as user self-registration, password reset, and forgotten username. As the user transitions from one stage to another, IDM uses JWT tokens to represent the current state of the process. As each stage is completed, IDM returns a new token. Each request that follows includes that latest token.

For example, users who use these features to recover their usernames and passwords get two tokens in the following scenario:

The user goes through the forgotten username process, gets a JWT Token with a lifetime (default = 300 seconds) that allows that user to get to the next step in the process.
With username in hand, that user may then start the password reset process. That user gets a second JWT token, with the token lifetime configured for that process.

Note

The default IDM JWT token is encrypted and stateless. However, if you need a token that can be included in a link that works in all email clients, change the snapshotToken type in the appropriate configuration file to uuid.

5.15. End User UI Notifications

Whenever there are changes related to individual users, IDM sends notifications to the affected user. When such users log into the End User UI, they can find their notifications by selecting the bell () icon.

Notifications are configured in notification-*.json files, as described in "Notification Configuration Files".

IDM includes a notifications endpoint, which can help you identify all notifications:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/internal/notification?_queryFilter=true"

You can isolate notifications by user. As noted elsewhere, you can identify user IDs with the following command:

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/managed/user?_queryId=query-all-ids"

You can then isolate the notifications by user ID, with the _notifications field.

$ curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/managed/user/e3a9385b-733f-4a1c-891b-c89292b30d70?_fields=_notifications/*"

For other _queryFilter options, see "Defining and Calling Queries".

You can filter notifications with any of the properties shown in the following table:

End User Notification Properties

Property	Description
`createDate`	Creation date
`notificationType`	Message type: limited to info, warning, or error
`message`	Message seen by the end user

You can get additional information from the activity audit log, in the audit/activity.audit.json file. including the following:

The userId who made the change.
The runAs name of the user who made the change.
If configured in "Specifying Fields to Monitor", any watched fields that have changed.
If the password was changed, as indicated by the passwordChanged property.

Chapter 6. Managing the Repository

IDM stores managed objects, internal users, and configuration objects in a repository. By default, the server uses an embedded ForgeRock Directory Services (DS) instance as its repository. In production, you must replace this embedded instance with an external DS instance, or with a JDBC repository, as described in "Selecting a Repository" in the Installation Guide.

This chapter describes the repository configuration, the use of mappings in the repository, and how to configure a connection to the repository over SSL. It also describes how to interact with the repository over the REST interface.

6.1. Understanding the Repository Configuration Files

IDM provides configuration files for all supported repositories. These configuration files are located in the /path/to/openidm/db/database/conf directory. For JDBC repositories, the configuration is defined in two files:

datasource.jdbc-default.json, which specifies the connection details to the repository.
repo.jdbc.json, which specifies the mapping between IDM resources and the tables in the repository, and includes a number of predefined queries.
repo.init.json, which specifies IDM's initial internal roles and users. The file is used when first launching IDM, and can be used to create additional roles and users, but ignores roles and users that have already been created. For more information about internal roles, see "Authorization".

For a DS repository, the repo.ds.json file specifies the resource mapping and, in the case of an external repository, the connection details to the LDAP server.

Copy the configuration files for your specific database type to your project's conf/ directory.

6.1.1. Understanding the JDBC Connection Configuration File

The default database connection configuration file for a MySQL database follows:

{
    "driverClass" : "com.mysql.jdbc.Driver",
    "jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8",
    "databaseName" : "openidm",
    "username" : "openidm",
    "password" : "openidm",
    "connectionTimeout" : 30000,
    "connectionPool" : {
        "type" : "hikari",
        "minimumIdle" : 20,
        "maximumPoolSize" : 50
    }
}

The configuration file includes the following properties:

driverClass

"driverClass" : string

To use the JDBC driver manager to acquire a data source, set this property, as well as "jdbcUrl", "username", and "password". The driver class must be the fully qualified class name of the database driver to use for your database.

Using the JDBC driver manager to acquire a data source is the most likely option, and the only one supported "out of the box". The remaining options in the sample repository configuration file assume that you are using a JDBC driver manager.

Example: "driverClass" : "com.mysql.jdbc.Driver"

jdbcUrl

The connection URL to the JDBC database. The URL should include all of the parameters required by your database. For example, to specify the encoding in MySQL use 'characterEncoding=utf8'.

Specify the values for openidm.repo.host and openidm.repo.port in one of the following ways:

Set the values in resolver/boot.properties or your project's conf/system.properties file, for example:
```
openidm.repo.host = localhost
openidm.repo.port = 3306
```

Set the properties in the OPENIDM_OPTS environment variable and export that variable before startup. You must include the JVM memory options when you set this variable. For example:

$ export OPENIDM_OPTS="-Xmx1024m -Xms1024m -Dopenidm.repo.host=localhost -Dopenidm.repo.port=3306"
$ ./startup.sh
Executing ./startup.sh...
Using OPENIDM_HOME:   /path/to/openidm
Using PROJECT_HOME:   /path/to/openidm
Using OPENIDM_OPTS:   -Xmx1024m -Xms1024m -Dopenidm.repo.host=localhost -Dopenidm.repo.port=3306
Using LOGGING_CONFIG: -Djava.util.logging.config.file=/path/to/openidm/conf/logging.properties
Using boot properties at /path/to/openidm/resolver/boot.properties
-> OpenIDM version "6.5.2.0"
OpenIDM ready

databaseName

The name of the database to which IDM connects. By default, this is openidm.

username

The username with which to access the JDBC database.

password

The password with which to access the JDBC database. IDM automatically encrypts clear string passwords. To replace an existing encrypted value, replace the whole crypto-object value, including the brackets, with a string of the new password.

connectionTimeout

The period of time, in milliseconds, after which IDM should consider an attempted connection to the database to have failed. The default period is 30000 milliseconds (30 seconds).

connectionPool

Database connection pooling configuration. The default connection pool library is HikariCP:

"connectionPool" : {
    "type" : "hikari"
}

IDM uses the default HikariCP configuration, except for the following parameters. You might need to adjust these parameters, according to your database workload:

minimumIdle
This property controls the minimum number of idle connections that HikariCP maintains in the connection pool. If the number of idle connections drops below this value, HikariCP attempts to add additional connections.
By default, HikariCP runs as a fixed-sized connection pool, that is, this property is not set. The connection configuration files provided with IDM set the minimum number of idle connections to 20.
maximumPoolSize
This property controls the maximum number of connections to the database, including idle connections and connections that are being used.
By default, HikariCP sets the maximum number of connections to 10. The connection configuration files provided with IDM set the maximum number of connections to 50.

For information about the HikariCP configuration parameters, see the HikariCPCP Project Page.

6.1.2. Understanding the JDBC Database Table Configuration

An excerpt of a MySQL database table configuration file follows:

{
     "dbType" : "MYSQL",
     "useDataSource" : "default",
     "maxBatchSize" : 100,
     "maxTxRetry" : 5,
     "queries" : {...},
     "commands" : {...},
     "resourceMapping" : {...}
 }

The configuration file includes the following properties:

dbType : string, optional

The type of database. The database type might affect the queries used and other optimizations. Supported database types include the following:

DB2

SQLSERVER (for Microsoft SQL Server)

MYSQL

ORACLE

POSTGRESQL

useDataSource : string, optional

This option refers to the connection details that are defined in the configuration file, described previously. The default configuration file is named datasource.jdbc-default.json. This is the file that is used by default (and the value of the "useDataSource" is therefore "default"). You might want to specify a different connection configuration file, instead of overwriting the details in the default file. In this case, set your connection configuration file datasource.jdbc-name.json and set the value of "useDataSource" to whatever name you have used.

maxBatchSize

The maximum number of SQL statements that will be batched together. This parameter allows you to optimize the time taken to execute multiple queries. Certain databases do not support batching, or limit how many statements can be batched. A value of 1 disables batching.

maxTxRetry

The maximum number of times that a specific transaction should be attempted before that transaction is aborted.

queries

Predefined queries that can be referenced from the configuration. For more information about predefined queries, see "Parameterized Queries". The queries are divided between those for genericTables and those for explicitTables.

The following sample extract from the default MySQL configuration file shows two credential queries, one for a generic mapping, and one for an explicit mapping. Note that the lines have been broken here for legibility only. In a real configuration file, the query would be all on one line:

 "queries" : {
     "genericTables" : {
         "credential-query" : "SELECT obj.objectid, obj.rev, obj.fullobject FROM ${_dbSchema}.${_mainTable} obj
         INNER JOIN ${_dbSchema}.objecttypes objtype ON objtype.id = obj.objecttypes_id
         AND objtype.objecttype = ${_resource} INNER JOIN ${_dbSchema}.${_propTable} usernameprop
         ON obj.id = usernameprop.${_mainTable}_id AND usernameprop.propkey='/userName'
         INNER JOIN ${_dbSchema}.${_propTable} statusprop ON obj.id = statusprop.${_mainTable}_id
         AND statusprop.propkey='/accountStatus' WHERE usernameprop.propvalue = ${username}
         AND statusprop.propvalue = 'active'",
         ...
     "explicitTables" : {
         "credential-query" : "SELECT * FROM ${_dbSchema}.${_table}
           WHERE username = ${username} and accountstatus = 'active'",
         ...
     }
 }

Options supported for query parameters include the following:

A default string parameter, for example:
```
openidm.query("managed/user", { "_queryId": "for-userName", "uid": "jdoe" });
```
For more information about the query function, see "openidm.query(resourceName, params, fields)".
A list parameter (${list:propName}).
Use this parameter to specify a set of indeterminate size as part of your query. For example:
```
WHERE targetObjectId IN (${list:filteredIds})
```
An integer parameter (${int:propName}).
Use this parameter to query non-string values in the database. This is particularly useful with explicit tables.

commands

Specific commands configured to manage the database over the REST interface. Currently, the following default commands are included in the configuration:

purge-by-recon-expired
purge-by-recon-number-of
delete-mapping-links
delete-target-ids-for-recon

These commands assist with removing stale reconciliation audit information from the repository, and preventing the repository from growing too large. The commands work by executing a query filter, then performing the specified operation on each result set. Currently the only supported operation is DELETE, which removes all entries that match the filter. For more information about repository commands, see "Running Queries and Commands on the Repository".

resourceMapping

Defines the mapping between IDM resource URIs (for example, managed/user) and JDBC tables. The structure of the resource mapping is as follows:

 "resourceMapping" : {
     "default" : {
         "mainTable" : "genericobjects",
         "propertiesTable" : "genericobjectproperties",
         "searchableDefault" : true
     },
     "genericMapping" : {...},
     "explicitMapping" : {...}
 }

The default mapping object represents a default generic table in which any resource that does not have a more specific mapping is stored.

The generic and explicit mapping objects are described in the following section.

6.1.3. Understanding the DS Repository Configuration

An excerpt of a DS repository configuration file follows:

{
     "embedded" : false,
     "maxConnectionAttempts" : 5,
     "security" : {...},
     "ldapConnectionFactories" : {...},
     "queries" : {...},
     "commands" : {...},
     "rest2LdapOptions": {...},
     "indices": {...},
     "schemaProviders": {...},
     "resourceMapping" : {...}
 }

The configuration file includes the following properties:

embedded : boolean

Specifies an embedded or external DS instance.

IDM uses an embedded DS instance by default. The embedded instance is not supported in production.

maxConnectionAttempts : integer

Specifies the number of times IDM should attempt to connect to the DS instance. On startup, IDM will attempt to connect to DS indefinitely. The maxConnectionAttempts parameter controls the number of reconnection attempts in the event of a failure during normal operation, for example, if an attempt to access the DS repository times out.

By default, IDM will attempt to reconnect to the DS instance 5 times.

security

Specifies the DS key manager and trust manager provider types, both jvm by default. For example:

"security": {
    "trustManager": "jvm",
    "keyManager": "jvm"
}

ldapConnectionFactories

For an external DS repository, configures the connection to the DS instance. For example:

"ldapConnectionFactories": {
    "bind": {
        "connectionSecurity": "none",
        "sslCertAlias": "client-cert",
        "heartBeatIntervalSeconds": 60,
        "heartBeatTimeoutMilliSeconds": 10000,
        "primaryLdapServers": [{ "hostname": "localhost", "port": 31389 }],
        "secondaryLdapServers": []
    },
    "root": {
        "inheritFrom": "bind",
        "authentication": {
            "simple": { "bindDn": "cn=Directory Manager", "bindPassword": "password" }
        }
    }
}

queries

Predefined queries that can be referenced from the configuration. For a DS repository, all predefined queries are really filtered queries (using the _queryFilter parameter), for example:

"query-all-ids": {
    "_queryFilter": "true",
    "_fields": "_id,_rev"
},

The queries are divided between those for generic mappings and those for explicit mappings, but the queries themselves are the same for both mapping types.

commands

Specific commands configured to manage the repository over the REST interface. Currently, only two commands are included by default:

delete-mapping-links
delete-target-ids-for-recon

Both of these commands assist with removing stale reconciliation audit information from the repository, and preventing the repository from growing too large. For more information about repository commands, see "Running Queries and Commands on the Repository".

rest2LdapOptions

Specifies the configuration for accessing the LDAP data stored in DS. For more information, see Gateway REST2LDAP Configuration File in the DS Reference.

indices

For generic mappings, sets up LDAP indices on custom object properties. For more information, see "Improving Generic Mapping Search Performance (DS)".

schemaProviders

For generic mappings, lets you list custom objects whose properties should be indexed. For more information, see "Improving Generic Mapping Search Performance (DS)".

resourceMapping

Defines the mapping between IDM resource URIs (for example, managed/user) and the DS directory tree. The structure of the resource mapping object is as follows:

{
    "resourceMapping" : {
        "defaultMapping": {
            "dnTemplate": "ou=generic,dc=openidm,dc=forgerock,dc=com"
        },
        "explicitMapping" : {...},
        "genericMapping" : {...}
}

The default mapping object represents a default generic organizational unit (ou) in which any resource that does not have a more specific mapping is stored.

The generic and explicit mapping objects are described in "Using Generic and Explicit Object Mappings" .

6.2. Using Generic and Explicit Object Mappings

There are two ways to map IDM objects to the tables in a JDBC database or to organizational units in DS:

Generic mapping, which allows you to store arbitrary objects without special configuration or administration.
Explicit mapping, which maps specific objects and properties to tables and columns in the JDBC database or to organizational units in DS.

These two mapping strategies are discussed in the following sections, for JDBC repositories and for DS repositories:

6.2.1. Generic and Explicit Mappings With a JDBC Repository

6.2.1.1. Using Generic Mappings With a JDBC Repository

Generic mapping speeds up development, and can make system maintenance more flexible by providing a stable database structure. However, generic mapping can have a performance impact and does not take full advantage of the database facilities (such as validation within the database and flexible indexing). In addition, queries can be more difficult to set up.

In a generic table, the entire object content is stored in a single large-character field named fullobject in the mainTable for the object. To search on specific fields, you can read them by referring to them in the corresponding properties table for that object. The disadvantage of generic objects is that, because every property you might like to filter by is stored in a separate table, you must join to that table each time you need to filter by anything.

The following diagram shows a pared down database structure for the default generic table, when using a MySQL repository. The diagram indicates the relationship between the main table and the corresponding properties table for each object.

Generic Tables Entity Relationship Diagram

These separate tables can make the query syntax particularly complex. For example, a simple query to return user entries based on a user name would need to be implemented as follows:

SELECT obj.objectid, obj.rev, obj.fullobject FROM ${_dbSchema}.${_mainTable} obj
INNER JOIN ${_dbSchema}.${_propTable} prop ON obj.id = prop.${_mainTable}_id
INNER JOIN ${_dbSchema}.objecttypes objtype ON objtype.id = obj.objecttypes_id
WHERE prop.propkey='/userName' AND prop.propvalue = ${uid} AND objtype.objecttype = ${_resource}",

The query can be broken down as follows:

Select the full object, the object ID, and the object revision from the main table:
```
SELECT obj.objectid, obj.rev, obj.fullobject FROM ${_dbSchema}.${_mainTable} obj
```
Join to the properties table and locate the object with the corresponding ID:
```
INNER JOIN ${_dbSchema}.${_propTable} prop  ON obj.id = prop.${_mainTable}_id
```
Join to the object types table to restrict returned entries to objects of a specific type. For example, you might want to restrict returned entries to managed/user objects, or managed/role objects:
```
INNER JOIN ${_dbSchema}.objecttypes objtype ON objtype.id = obj.objecttypes_id
```
Filter records by the userName property, where the userName is equal to the specified uid and the object type is the specified type (in this case, managed/user objects):
```
WHERE prop.propkey='/userName'
 AND prop.propvalue = ${uid}
 AND objtype.objecttype = ${_resource}",
```
The value of the uid field is provided as part of the query call, for example:
```
openidm.query("managed/user", { "_queryId": "for-userName", "uid": "jdoe" });
```

Tables for user definable objects use a generic mapping by default.

The following sample generic mapping object illustrates how managed/ objects are stored in a generic table:

"genericMapping" : {
       "managed/*" : {
           "mainTable" : "managedobjects",
           "propertiesTable" : "managedobjectproperties",
           "searchableDefault" : true,
           "properties" : {
               "/picture" : {
                   "searchable" : false
               }
           }
       }
   },

mainTable (string, mandatory)

Indicates the main table in which data is stored for this resource.

The complete object is stored in the fullobject column of this table. The table includes an objecttypes foreign key that is used to distinguish the different objects stored within the table. In addition, the revision of each stored object is tracked, in the rev column of the table, enabling multiversion concurrency control (MVCC). For more information, see "Manipulating Managed Objects Programmatically".

propertiesTable (string, mandatory)

Indicates the properties table, used for searches.

Note

PostgreSQL repositories do not use these properties tables to access specific properties. Instead, the PostgreSQL json_extract_path_text() function achieves this functionality.

The contents of the properties table is a defined subset of the properties, copied from the character large object (CLOB) that is stored in the fullobject column of the main table. The properties are stored in a one-to-many style separate table. The set of properties stored here is determined by the properties that are defined as searchable.

The stored set of searchable properties makes these values available as discrete rows that can be accessed with SQL queries, specifically, with WHERE clauses. It is not otherwise possible to query specific properties of the full object.

The properties table includes the following columns:

${_mainTable}_id corresponds to the id of the full object in the main table, for example, manageobjects_id, or genericobjects_id.
propkey is the name of the searchable property, stored in JSON pointer format (for example /mail).
proptype is the data type of the property, for example java.lang.String. The property type is obtained from the Class associated with the value.
propvalue is the value of property, extracted from the full object that is stored in the main table.
Regardless of the property data type, this value is stored as a string, so queries against it should treat it as such.

searchableDefault (boolean, optional)

Specifies whether all properties of the resource should be searchable by default. Properties that are searchable are stored and indexed. You can override the default for individual properties in the properties element of the mapping. The preceding example indicates that all properties are searchable, with the exception of the picture property.

For large, complex objects, having all properties searchable implies a substantial performance impact. In such a case, a separate insert statement is made in the properties table for each element in the object, every time the object is updated. Also, because these are indexed fields, the recreation of these properties incurs a cost in the maintenance of the index. You should therefore enable searchable only for those properties that must be used as part of a WHERE clause in a query.

Note

PostgreSQL repositories do not use the searchableDefault property.

properties

Lists any individual properties for which the searchable default should be overridden.

Note that if an object was originally created with a subset of searchable properties, changing this subset (by adding a new searchable property in the configuration, for example) will not cause the existing values to be updated in the properties table for that object. To add the new property to the properties table for that object, you must update or recreate the object.

6.2.1.2. Improving Generic Mapping Search Performance (JDBC)

All properties in a generic mapping are searchable by default. In other words, the value of the searchableDefault property is true unless you explicitly set it to false. Although there are no individual indexes in a generic mapping, you can improve search performance by setting only those properties that you need to search as searchable. Properties that are searchable are created within the corresponding properties table. The properties table exists only for searches or look-ups, and has a composite index, based on the resource, then the property name.

The sample JDBC repository configuration files (db/database/conf/repo.jdbc.json) restrict searches to specific properties by setting the searchableDefault to false for managed/user mappings. You must explicitly set searchable to true for each property that should be searched. The following sample extract from repo.jdbc.json indicates searches restricted to the userName property:

"genericMapping" : {
     "managed/user" : {
         "mainTable" : "manageduserobjects",
         "propertiesTable" : "manageduserobjectproperties",
         "searchableDefault" : false,
         "properties" : {
             "/userName" : {
             "searchable" : true
             }
         }
     }
 },

With this configuration, IDM creates entries in the properties table only for userName properties of managed user objects.

If the global searchableDefault is set to false, properties that do not have a searchable attribute explicitly set to true are not written in the properties table.

6.2.1.3. Using Explicit Mappings With a JDBC Repository

Explicit mapping is more difficult to set up and maintain, but can take complete advantage of the native database facilities.

An explicit table offers better performance and simpler queries. There is less work in the reading and writing of data, because the data is all in a single row of a single table. In addition, it is easier to create different types of indexes that apply to only specific fields in an explicit table. The disadvantage of explicit tables is the additional work required in creating the table in the schema. Also, because rows in a table are inherently more simple, it is more difficult to deal with complex objects. Any non-simple key:value pair in an object associated with an explicit table is converted to a JSON string and stored in the cell in that format. This makes the value difficult to use, from the perspective of a query attempting to search within it.

You can have a generic mapping configuration for most managed objects, and an explicit mapping that overrides the default generic mapping in certain cases.

IDM provides a sample configuration, for each JDBC repository, that sets up an explicit mapping for the managed user object and a generic mapping for all other managed objects. This configuration is defined in the files named /path/to/openidm/db/repository/conf/repo.jdbc-repository-explicit-managed-user.json. To use this configuration, copy the file that corresponds to your repository to your project's conf/ directory and rename it repo.jdbc.json. Run the sample-explicit-managed-user.sql data definition script (in the path/to/openidm/db/repository/scripts directory) to set up the corresponding tables when you configure your JDBC repository.

IDM uses explicit mapping for internal system tables, such as the tables used for auditing.

Depending on the types of usage your system is supporting, you might find that an explicit mapping performs better than a generic mapping. Operations such as sorting and searching (such as those performed in the default UI) tend to be faster with explicitly-mapped objects, for example.

The following sample explicit mapping object illustrates how internal/user objects are stored in an explicit table:

"explicitMapping" : {
     "internal/user" : {
         "table" : "internaluser",
         "objectToColumn" : {
             "_id" : "objectid",
             "_rev" : "rev",
             "password" : "pwd",
             "roles" : "roles"
         }
     },
     ...
 }

<resource-uri> (string, mandatory)

Indicates the URI for the resources to which this mapping applies, for example, internal/user.

table (string, mandatory)

The name of the database table in which the object (in this case internal users) is stored.

objectToColumn (string, mandatory)

The way in which specific managed object properties are mapped to columns in the table.

The mapping can be a simple one to one mapping, for example "userName": "userName", or a more complex JSON map or list. When a column is mapped to a JSON map or list, the syntax is as shown in the following examples:

"messageDetail" : { "column" : "messagedetail", "type" : "JSON_MAP" }

or

"roles": { "column" : "roles", "type" : "JSON_LIST" }

Available column data types you can specify are STRING (the default), NUMBER, JSON_MAP, JSON_LIST, and FULLOBJECT.

Caution

Pay particular attention to the following caveats when you map properties to explicit columns in your database:

Support for data types in columns is restricted to numeric values (NUMBER) and strings (STRING). Although you can specify other data types, IDM handles all other data types as strings. Your database will need to convert these types from a string to the alternative data type. This conversion is not guaranteed to work.
If the conversion does work, the format might not be the same when the data is read from the database as it was when it was saved. For example, your database might parse a date in the format 12/12/2012 and return the date in the format 2012-12-12 when the property is read.
Passwords are encrypted before they are stored in the repository. The length of the password column must be long enough to store the encrypted password value, which can vary depending on how it is encrypted and whether it is also hashed.
The sample-explicit-managed-user.sql file referenced in this section sets the password column to a length of 511 characters (VARCHAR(511) to account for the additional space an encrypted password requires. For more information about IDM encryption and an example encrypted password value, see "Using the encrypt Subcommand" and "Encoding Attribute Values".
If your data objects include virtual properties, you must include columns in which to store these properties. If you don't explicitly map the virtual properties, you will see errors similar to the following when you attempt to create the corresponding object"
```
{
    "code":400,
    "reason":"Bad Request",
    "message":"Unmapped fields [/property-name/0]
    for type managed/user and table openidm.managed_user"
}
```
When virtual properties are returned in the result of a query, the query previously persisted values of the requested virtual properties. To recalculate virtual property values in a query, you must set executeOnRetrieve to true in the query request parameters. For more information, see "Property Storage Triggers".

6.2.2. Generic and Explicit Mappings With a DS Repository

For both generic and explicit mappings, IDM maps object types using a dnTemplate property. The dnTemplate is effectively a pointer to where the object is stored in DS. For example, the following excerpt of the default repo.ds.json file shows how configuration objects are stored under the DN ou=config,dc=openidm,dc=forgerock,dc=com:

"config": {
    "dnTemplate": "ou=config,dc=openidm,dc=forgerock,dc=com"
},

6.2.2.1. Using Generic Mappings With a DS Repository

By default, IDM uses a generic mapping for all objects except the following:

Internal users, roles, and privileges
Links
Clustered reconciliation target IDs
Note that clustered reconciliation is not currently supported with a DS repository.
Locks
Objects related to queued synchronization

With a generic mapping, all the properties of an object are stored as a single JSON blob in the fr-idm-json attribute. To create a new generic mapping, you need only specify the dnTemplate, that is, where the object will be stored in the directory tree.

You can specify a wildcard mapping, that stores all nested URIs under a particular branch of the directory tree, for example:

"managed/*": {
    "dnTemplate": "ou=managed,dc=openidm,dc=forgerock,dc=com"
},

With this mapping, all objects under managed/, such as managed/user and managed/device, will be stored in the branch ou=managed,dc=openidm,dc=forgerock,dc=com. You do not have to specify separate mappings for each of these objects. The mapping creates a new ou for each object. So, for example, managed/user objects will be stored under the DN ou=user,ou=managed,dc=openidm,dc=forgerock,dc=com and managed/device objects will be stored under the DN ou=device,ou=managed,dc=openidm,dc=forgerock,dc=com.

6.2.2.1.1. Improving Generic Mapping Search Performance (DS)

By default, all generic objects are instances of the fr-idm-generic-obj object class and their properties are stored as a single JSON blob in the fr-idm-json attribute. The fr-idm-json attribute is indexed by default, which results in all attributes of a generic object being indexed. JDBC repositories behave in a similar way, with all generic objects being searchable by default.

To optimize search performance on specific generic resources, you can set up your own schema providers and indices as described in this section. For a detailed explanation of how indexes improve LDAP search performance, see Indexing Attribute Values in the DS Administration Guide.

For the embedded DS repository, or an external DS repository installed as described in "Using an External DS Repository" in the Installation Guide, the following managed user properties are indexed by default:

userName (cn)
givenName
sn
mail
telephoneNumber

You can configure managed user indexes in the repository configuration (repo.ds.json) by adding indices and schemaProviders objects, as follows:

"indices" : {
    ...
    "fr-idm-managed-user-json" : {
      "type" : [ "EQUALITY" ]
    },
    ...
  },
  "schemaProviders" : {
    "Managed User Json" : {
      "matchingRuleName" : "caseIgnoreJsonQueryMatchManagedUser",
      "matchingRuleOid" : "1.3.6.1.4.1.36733.2.....",
      "caseSensitiveStrings" : false,
      "fields" : [ "userName", "givenName", "sn", "mail", "telephoneNumber" ]
    },
    ...
  },

The indexed properties are listed in the array of fields for that managed object. To index additional managed user properties, add the property names to this array of fields.

To set up indexes on generic objects other than the managed user object, you must do the following:

Add the object to the DS schema.
The schema for an embedded DS repository is stored in the /path/to/openidm/db/openidm/opendj/db/schema/60-repo-schema.ldif file.
You can use the managed user object as an example of the schema syntax:
```
###
# Managed User
###
attributeTypes: ( 1.3.6.1.4.1.36733.2.3.1.13
  NAME 'fr-idm-managed-user-json'
  SYNTAX 1.3.6.1.4.1.36733.2.1.3.1
  EQUALITY caseIgnoreJsonQueryMatchManagedUser
  ORDERING caseIgnoreOrderingMatch
  SINGLE-VALUE
  X-ORIGIN 'OpenIDM DSRepoService')
objectClasses: ( 1.3.6.1.4.1.36733.2.3.2.6
  NAME 'fr-idm-managed-user'
  SUP top
  STRUCTURAL
  MUST ( fr-idm-managed-user-json )
  X-ORIGIN 'OpenIDM DSRepoService' )
```
For information about adding JSON objects to the DS schema, see Working With JSON in the DS Administration Guide.
Warning
If you delete the db/openidm directory, any additions you have made to the schema will be lost. If you have customized the schema, be sure to back up the 60-repo-schema.ldif file.
Add the object to the indices property in the conf/repo.ds.json file.
The following example sets up an equality index for a managed devices object:
```
"indices" : {
    ...
    "fr-idm-managed-devices-json" : {
      "type" : [ "EQUALITY" ]
    },
    ...
       },
```

Add the object to the schemaProviders property in the conf/repo.ds.json file and list the properties that should be indexed.

The following example sets up indexes for the deviceName, brand, and assetNumber properties of the managed device object:

"schemaProviders" : {
    "Managed Device Json" : {
      "matchingRuleName" : "caseIgnoreJsonQueryMatchManagedDevice",
      "matchingRuleOid" : "1.3.6.1.4.1.36733.2.....",
      "caseSensitiveStrings" : false,
      "fields" : [ "deviceName", "brand", "assetNumber" ]
    },

For more information about indexing JSON attributes, see Configuring an Index for a JSON Attribute in the DS Administration Guide.

Note

The OIDs shown in this section are reserved for ForgeRock internal use. If you set up additional objects and attributes, or if you change the default schema, you must specify your own OIDs here.

6.2.2.2. Using Explicit Mappings With a DS Repository

The default configuration uses generic mappings for all objects except internal users and roles, links, and clustered reconciliation target IDs. To use an explicit mapping for managed user objects, follow these steps:

Stop IDM if it is running.

Copy the repo.ds-explicit-managed-user.json file to your project's conf directory, and rename that file repo.ds.json:

$ cd /path/to/openidm
$ cp db/ds/conf/repo.ds-explicit-managed-user.json project-dir/conf/repo.ds.json

Important

This file is configured for an embedded DS repository by default. To set up an explicit mapping for an external DS repository, change the value of the "embedded" property to false and add the following properties:

"security": {
    "trustManager": "jvm",
    "keyManager": "jvm"
},
"ldapConnectionFactories": {
    "bind": {
        "connectionSecurity": "none",
        "sslCertAlias": "client-cert",
        "heartBeatIntervalSeconds": 60,
        "heartBeatTimeoutMilliSeconds": 10000,
        "primaryLdapServers": [{ "hostname": "localhost", "port": 31389 }],
        "secondaryLdapServers": []
    },
    "root": {
        "inheritFrom": "bind",
        "authentication": {
            "simple": { "bindDn": "cn=Directory Manager", "bindPassword": "password" }
        }
    }
},

For more information on these properties, see "Understanding the DS Repository Configuration".

Restart IDM.

IDM uses the DS REST to LDAP gateway to map JSON objects to LDAP objects stored in the directory. To create additional explicit mappings, you must specify the LDAP objectClasses to which the object is mapped, and how each property maps to its corresponding LDAP attributes. Specify at least the property type and the corresponding ldapAttribute.

The following excerpt of the explicit managed user object mapping provides an example:

"managed/user" : {
    "dnTemplate": "ou=user,ou=managed,dc=openidm,dc=forgerock,dc=com",
    "objectClasses": [ "person", "organizationalPerson", "inetOrgPerson", "fr-idm-managed-user-explicit" ],
    "properties": {
        "_id": {
            "type": "simple", "ldapAttribute": "uid", "isRequired": true, "writability": "createOnly"
        },
        "userName": {
            "type": "simple", "ldapAttribute": "cn"
        },
        "password": {
            "type": "json", "ldapAttribute": "fr-idm-password"
        },
        "accountStatus": {
            "type": "simple", "ldapAttribute": "fr-idm-accountStatus"
        },
        "roles": {
            "type": "json", "ldapAttribute": "fr-idm-role", "isMultiValued": true
        },
        "effectiveRoles": {
            "type": "json", "ldapAttribute": "fr-idm-effectiveRole", "isMultiValued": true
        },
        "effectiveAssignments": {
            "type": "json", "ldapAttribute": "fr-idm-effectiveAssignment", "isMultiValued": true
        },
        ...
    }
},

You do not need to map the _rev (revision) property of an object as this property is implicit in all objects and maps to the DS etag operational attribute.

If your data objects include virtual properties, you must include property mappings for these properties. If you don't explicitly map the virtual properties, you will see errors similar to the following when you attempt to create the corresponding object:

{"code":400,"reason":"Bad Request","message":"Unmapped fields...}

For more information about the REST to LDAP property mappings, see Mapping Configuration File in the DS Reference.

For performance reasons, the DS repository does not apply unique constraints to links. This behavior is different to the JDBC repositories, where uniqueness on link objects is enforced.

Important

DS currently has a default index entry limit of 4000. Therefore, you cannot query more than 4000 records unless you create a Virtual List View (VLV) index. A VLV index is designed to help DS respond to client applications that need to browse through a long list of objects.

You cannot create a VLV index on a JSON attribute. For generic mappings, IDM avoids this restriction by using client-side sorting and searching. However, for explicit mappings you must create a VLV index for any filtered or sorted results, such as results displayed in a UI grid. To configure a VLV index, use the dsconfig command described in Configuring a Virtual List View Index in the DS Administration Guide.

6.2.2.2.1. Specifying How IDM IDs Map to LDAP Entry Names

The DS REST2LDAP configuration lets you specify a namingStrategy that determines how LDAP entry names are mapped to JSON resources. When IDM stores its objects in a DS repository, this namingStrategy determines how the IDM _id value maps to the Relative Distinguished Name (RDN) of the corresponding DS object.

The namingStrategy is specified as part of the explicitMapping of an object in the repo.ds.json file. The following example shows a naming strategy configuration for an explicit managed user mapping:

"resourceMapping": {
    "defaultMapping": {
        "dnTemplate": "ou=generic,dc=openidm,dc=forgerock,dc=com"
    },
    ...
    "explicitMapping": {
        "managed/user" : {
            "dnTemplate": "ou=user,ou=managed,dc=openidm,dc=forgerock,dc=com",
            "objectClasses": [
                "person",
                "organizationalPerson",
                "inetOrgPerson",
                "fr-idm-managed-user-explicit"
            ],
            "namingStrategy" : {
                "type" : "clientDnNaming",
                "dnAttribute" : "uid"
            },
         ...
}

The namingStrategy can be one of the following:

clientDnNaming - IDM provides an _id to DS and that _id is used to generate the DS RDN. In the following example, the IDM _id maps to the LDAP uid attribute:
```
{
     "namingStrategy": {
         "type": "clientDnNaming",
         "dnAttribute": "uid"
     }
 }     
```
With this default configuration, entries are stored in DS with a DN similar to the following:
"uid=idm-uuid,ou=user,ou=managed,dc=openidm,dc=forgerock,dc=com"
Note
If these default DNs are suitable in your deployment, you do not have to change anything with regard to the naming strategy.
clientNaming - IDM provides an _id to DS but the DS RDN is derived from a different user attribute in the LDAP entry. In the following example, the RDN is the cn attribute. The _id that IDM provides for the object maps to the LDAP uid attribute:
```
{
     "namingStrategy": {
         "type": "clientNaming",
         "dnAttribute": "cn",
         "idAttribute": "uid"
     }
 }     
```
With this configuration, entries are stored in DS with a DN similar to the following:
"cn=username,ou=user,ou=managed,dc=openidm,dc=forgerock,dc=com"

Specifying a namingStrategy is optional. If you do not specify a strategy, the default is clientDnNaming with the following configuration:

{
     "namingStrategy" : {
         "type" : "clientDnNaming",
         "dnAttribute" : "uid"
     },
     "properties: : {
         "_id": {
             "type": "simple",
             "ldapAttribute": "uid",
             "isRequired": true,
             "writability": "createOnly"
         },
     ...
     }
 }

Note

If you do not set a dnAttribute as part of the naming strategy, the value of the dnAttribute is taken from the value of the ldapAttribute on the _id property.

6.3. Connect to a JDBC Repository Over SSL

This procedure assumes that you have already set up your JDBC repository, as described in "Selecting a Repository" in the Installation Guide. The exact steps to connect to a JDBC repository over SSL depend on your repository. This procedure describes the steps for a MySQL 8 repository. If you are using a different JDBC repository, use the corresponding documentation for that repository, and adjust the steps accordingly.

Change the jdbcUrl property in your repository connection configuration file (conf/datasource.jdbc-default.json ).
The exact value of the jdbcUrl property will depend on your JDBC database, and on the version of your JDBC driver:
The following example shows the configuration for MySQL with JDBC driver version 8.0.12 or earlier:
```
"jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8&useSSL=true&verifyServerCertificate=true&requireSSL=true"
```
The following example shows the configuration for MySQL with JDBC driver version 8.0.13 or later:
```
"jdbcUrl" : "jdbc:mysql://&{openidm.repo.host}:&{openidm.repo.port}/openidm?allowMultiQueries=true&characterEncoding=utf8&sslMode=VERIFY_CA&requireSSL=true"
```
Note
For Azure MySQL, JDBC Driver Version 8.0.17+ is required.
Create and verify the SSL certificate and key files required to support encrypted connections to the JDBC repository.
For MySQL 8, use one of the procedures in the MySQL docs.
Configure the JDBC repository to use encrypted connections.
For MySQL 8, follow the MySQL docs.

Check that the connection to the database is over SSL by running a command similar to the following:

mysql -u root -P 3306 -p
mysql>show variables like "%have_ssl%";

+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl      | YES   |
+---------------+-------+
1 row in set (0.00 sec)

Convert your MySQL client key and certificate files to a PKCS #12 archive. For example:

openssl pkcs12 -export \
 -in client-cert.pem \
 -inkey client-key.pem \
 -name "mysqlclient" \
 -passout pass:changeit \
 -out client-keystore.p12

Import the client-keystore.p12 into the IDM keystore:
```
keytool \
 -importkeystore \
 -srckeystore client-keystore.p12 \
 -srcstoretype pkcs12 \
 -srcstorepass changeit \
 -destkeystore /path/to/openidm/security/keystore.jceks \
 -deststoretype jceks \
 -deststorepass changeit
```
Important
For AWS RDS MySQL and Azure MySQL, no client certificates are provided. In this case, you must create an empty keystore for client certificates, and add the following to the jdbcUrl property in your repository connection configuration file (conf/datasource.jdbc-default.json ):
```
&clientCertificateKeyStoreUrl=file:/opt/idm/security/empty.jks&clientCertificateKeyStorePassword=changeit
```
Import your MySQL CA certificate into the IDM truststore.
```
keytool \
 -importcert \
 -trustcacerts \
 -file ca-cert.pem \
 -alias "DB cert" \
 -keystore /path/to/openidm/security/truststore
```
You are prompted for a keystore password. You must use the same password as is shown in your resolver/boot.properties file. The default truststore password is:
```
openidm.truststore.password=changeit
```
After entering a keystore password, you are prompted with the following question. Assuming you have included an appropriate ca-cert.pem file, enter yes.
```
Trust this certificate? [no]: 
```
Open your project's conf/system.properties file. Add the following line to that file. If appropriate, substitute the path to your own truststore:
```
# Set the truststore
javax.net.ssl.trustStore=&{idm.install.dir}/security/truststore
```
Even if you are setting up this instance of IDM as part of a cluster, you must configure this initial truststore. After this instance joins a cluster, the SSL keys in this particular truststore are replaced.

6.4. Interacting With the Repository Over REST

The IDM repository is accessible over the REST interface, at the openidm/repo endpoint.

In general, you must ensure that external calls to the openidm/repo endpoint are protected. Native queries and free-form command actions on this endpoint are disallowed by default because the endpoint is vulnerable to injection attacks. For more information, see "Running Queries and Commands on the Repository".

6.4.1. Running Queries and Commands on the Repository

Free-form commands and native queries on the repository are disallowed by default and should remain so in production to reduce the risk of injection attacks.

Common filter expressions, called with the _queryFilter keyword, enable you to form arbitrary queries on the repository, using a number of supported filter operations. For more information on these filter operations, see "Constructing Queries". Parameterized or predefined queries and commands (using the _queryId and commandId keywords) can be authorized on the repository for external calls if necessary. For more information, see "Parameterized Queries".

Running commands on the repository is supported primarily from scripts. Certain scripts that interact with the repository are provided by default, for example, the scripts that enable you to purge the repository of reconciliation audit records.

You can define your own commands, and specify them in the database table configuration file (either repo.ds.json or repo.jdbc.json). In the following simple example, a command is called to clear out UI notification entries from the repository, for specific users.

The command is defined in the repository configuration file, as follows:

"commands" : {
"delete-notifications-by-id" : "DELETE FROM ui_notification WHERE receiverId = ${username}"
...
},

The command can be called from a script, as follows:

openidm.action("repo/ui/notification", "command", {},
{ "commandId" : "delete-notifications-by-id", "userName" : "scarter"});

Exercise caution when allowing commands to be run on the repository over the REST interface, as there is an attached risk to the underlying data.

Chapter 7. Configuring the Server

This chapter describes how IDM loads and stores its configuration, how the configuration can be changed, and specific configuration recommendations in a production environment.

The configuration is defined in a combination of .properties files, container configuration files, and dynamic configuration objects. Most of the configuration files are stored in your project's conf/ directory. Note that you might see files with a .patch extension in the conf/ and db/repo/conf/ directories. These files specify differences relative to the last released version of IDM and are used by the update mechanism. They do not affect your current configuration.

7.1. Configuration Objects

IDM exposes internal configuration objects in JSON format. Configuration elements can be either single instance or multiple instance for an IDM installation.

7.1.1. Single Instance Configuration Objects

Single instance configuration objects correspond to services that have at most one instance per installation. JSON file views of these configuration objects are named object-name.json.

The following list describes the single instance configuration objects:

The audit configuration specifies how audit events are logged.
The authentication configuration controls REST access.
The cluster configuration defines how an IDM instance can be configured in a cluster.
The endpoint configuration controls any custom REST endpoints.
The info configuration points to script files for the customizable information service.
The managed configuration defines managed objects and their schemas.
The policy configuration defines the policy validation service.
The process access configuration defines access to configured workflows.
The repo.repo-type configuration such as repo.ds or repo.jdbc configures the IDM repository.
The router configuration specifies filters to apply for specific operations.
The script configuration defines the parameters that are used when compiling, debugging, and running JavaScript and Groovy scripts.
The sync configuration defines the mappings that IDM uses when it synchronizes and reconciles managed objects.
The ui configuration defines the configurable aspects of the default user interfaces.
The workflow configuration defines the configuration of the workflow engine.

IDM stores managed objects in the repository, and exposes them under /openidm/managed. System objects on external resources are exposed under /openidm/system.

7.1.2. Multiple Instance Configuration Objects

Multiple instance configuration objects correspond to services that can have many instances per installation. Multiple instance configuration objects are named objectname/instancename, for example, provisioner.openicf/csvfile.

JSON file views of these configuration objects are named objectname-instancename.json, for example, provisioner.openicf-csvfile.json.

IDM provides the following multiple instance configuration objects:

Multiple schedule configurations can run reconciliations and other tasks on different schedules.
Multiple provisioner.openicf configurations correspond to connected resources.
Multiple servletfilter configurations can be used for different servlet filters such as the Cross Origin and GZip filters.

7.2. Making Configuration Changes

When you change configuration objects, take the following points into account:

IDM's authoritative configuration source is its repository. Although the JSON files provide a view of the configuration objects, they do not represent the authoritative source.
Unless you have disabled file writes, as described in "Disabling Automatic Configuration Updates", IDM updates JSON files after you make configuration changes over REST. You can also edit those JSON files directly.
IDM recognizes changes to JSON files when it is running. The server must be running when you delete configuration objects, even if you do so by editing the JSON files.
Avoid editing configuration objects directly in the repository. Rather, edit the configuration over the REST API, or in the configuration JSON files to ensure consistent behavior and that operations are logged.
By default, IDM stores its configuration in the repository. If you remove an IDM instance and do not specifically drop the repository, the configuration remains in effect for a new instance that uses that repository. You can disable this persistent configuration in your project's conf/system.properties file by uncommenting the following line:
```
# openidm.config.repo.enabled=false
```
Disabling persistent configuration means that IDM stores its configuration in memory only.

7.3. Changing the Default REST Context

By default, IDM objects are accessible over REST at the context path /openidm/* where * indicates the remainder of the context path, for example /openidm/managed/user. You can change the default REST context (/openidm) by setting the openidm.servlet.alias property in your project's resolver/boot.properties file.

The following change to the boot.properties file sets the REST context to /example:

openidm.servlet.alias=/example

After this change, objects are accessible at the /example context path, for example:

$ $ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 "http://localhost:8080/example/managed/user?_queryId=query-all-ids"
{
  "result": [
    {
      "_id": "bjensen",
      "_rev": "0000000042b1dcd2"
    },
    {
      "_id": "scarter",
      "_rev": "000000009b54de8a"
    }
  ],
  ...
}

To ensure that the Admin UI works with the new REST context, also change the commonConstants.context property in the following file:

/path/to/openidm/ui/admin/default/org/forgerock/openidm/ui/common/util/Constants.js

Note

If you've set up a custom UI per "Customizing the Admin UI" and/or "Customizing the End User UI", the directory with the Constants.js file will vary.

Note that changing the REST context impacts the API Explorer, described in "API Explorer". If you want to use the API Explorer with the new REST context, change the baseUrl property in the following file:

/path/to/openidm/ui/api/default/index.html

Based on the change to the REST context earlier in this section, you'd set the following:

//base URL for accessing the OpenAPI JSON endpoint
var baseURL = '/example/';

7.4. Configuring the Server for Production

Out of the box, IDM is configured to make it easy to install and evaluate. Specific configuration changes are required before you deploy IDM in a production environment.

7.4.1. Configuring a Production Repository

By default, IDM installs an embedded ForgeRock Directory Services (DS) instance for use as its repository. This makes it easy to get started. Before you use IDM in production, you must replace the embedded DS repository with a supported repository. For more information, see "Selecting a Repository" in the Installation Guide.

For more information, see "Selecting a Repository" in the Installation Guide.

7.4.2. Disabling Automatic Configuration Updates

By default, IDM polls the JSON files in the conf directory periodically for any changes to the configuration. In a production system, it is recommended that you disable automatic polling for updates to prevent untested configuration changes from disrupting your identity service.

To disable automatic polling for configuration changes, edit the conf/system.properties file for your project, and uncomment the following line:

# openidm.fileinstall.enabled=false

This setting also disables the file-based configuration view, which means that IDM reads its configuration only from the repository.

Before you disable automatic polling, you must have started the server at least once to ensure that the configuration has been loaded into the repository. Be aware, if automatic polling is enabled, IDM immediately uses changes to scripts called from a JSON configuration file.

When your configuration is complete, you can disable writes to configuration files. To do so, add the following line to the conf/config.properties file for your project:

felix.fileinstall.enableConfigSave=false

7.4.3. Communicating Through a Proxy Server

To set up IDM to communicate through a proxy server, you can use JVM parameters that identify the proxy host system, and the IDM port number.

If you've configured IDM behind a proxy server, include JVM properties from the following table, in the IDM startup script:

JVM Proxy Properties

JVM Property	Example Values	Description
`-Dhttps.proxyHost`	proxy.example.com, 192.168.0.1	Hostname or IP address of the proxy server
`-Dhttps.proxyPort`	8443, 9443	Port number used by IDM

If an insecure port is acceptable, you can also use the -Dhttp.proxyHost and -Dhttp.proxyPort options. You can add these JVM proxy properties to the value of OPENIDM_OPTS in your startup script (startup.sh or startup.bat):

# Only set OPENIDM_OPTS if not already set
[ -z "$OPENIDM_OPTS" ] && OPENIDM_OPTS="-Xmx1024m -Xms1024m -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8443"

7.5. Configuring the Server Over REST

IDM exposes configuration objects under the /openidm/config context path.

To list the configuration on the local host, perform a GET request on http://localhost:8080/openidm/config.

The following REST call includes excerpts of the default configuration for an IDM instance started with the sync-with-csv sample:

$ curl \
 --request GET \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 http://localhost:8080/openidm/config
{
  "_id": "",
  "configurations": [
    {
      "_id": "router",
      "pid": "router",
      "factoryPid": null
    },
    {
      "_id": "info/login",
      "pid": "info.f01fc3ed-5871-408d-a5f0-bef00ccc4c8f",
      "factoryPid": "info"
    },
    {
      "_id": "provisioner.openicf/csvfile",
      "pid": "provisioner.openicf.9009f4a1-ea47-4227-94e6-69c345864ba7",
      "factoryPid": "provisioner.openicf"
    },
    {
      "_id": "endpoint/usernotifications",
      "pid": "endpoint.e2751afc-d169-4a23-a88e-7211d340bccb",
      "factoryPid": "endpoint"
    },
    ...
  ]
}

Single instance configuration objects are located under openidm/config/object-name. The following example shows the audit configuration of the sync-with-csv. The output has been cropped for legibility:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 "http://localhost:8080/openidm/config/audit"
{
  "_id": "audit",
  "auditServiceConfig": {
    "handlerForQueries": "json",
    "availableAuditEventHandlers": [
      "org.forgerock.audit.handlers.csv.CsvAuditEventHandler",
      "org.forgerock.audit.handlers.elasticsearch.ElasticsearchAuditEventHandler",
      "org.forgerock.audit.handlers.jms.JmsAuditEventHandler",
      "org.forgerock.audit.handlers.json.JsonAuditEventHandler",
      "org.forgerock.audit.handlers.json.stdout.JsonStdoutAuditEventHandler",
      "org.forgerock.openidm.audit.impl.RepositoryAuditEventHandler",
      "org.forgerock.openidm.audit.impl.RouterAuditEventHandler",
      "org.forgerock.audit.handlers.splunk.SplunkAuditEventHandler",
      "org.forgerock.audit.handlers.syslog.SyslogAuditEventHandler"
    ],
    "filterPolicies": {
      "value": {
        "excludeIf": [
          "/access/http/request/cookies/&{com.iplanet.am.cookie.name}",
          "/access/http/request/cookies/session-jwt",
          "/access/http/request/headers/&{com.sun.identity.auth.cookieName}",
          "/access/http/request/headers/&{com.iplanet.am.cookie.name}",
          "/access/http/request/headers/accept-encoding",
          "/access/http/request/headers/accept-language",
          "/access/http/request/headers/Authorization",
          "/access/http/request/headers/cache-control",
          "/access/http/request/headers/connection",
          "/access/http/request/headers/content-length",
          "/access/http/request/headers/content-type",
          "/access/http/request/headers/proxy-authorization",
          "/access/http/request/headers/X-OpenAM-Password",
          "/access/http/request/headers/X-OpenIDM-Password",
          "/access/http/request/queryParameters/access_token",
          "/access/http/request/queryParameters/IDToken1",
          "/access/http/request/queryParameters/id_token_hint",
          "/access/http/request/queryParameters/Login.Token1",
          "/access/http/request/queryParameters/redirect_uri",
          "/access/http/request/queryParameters/requester",
          "/access/http/request/queryParameters/sessionUpgradeSSOTokenId",
          "/access/http/request/queryParameters/tokenId",
          "/access/http/response/headers/Authorization",
          "/access/http/response/headers/Set-Cookie",
          "/access/http/response/headers/X-OpenIDM-Password"
        ],
        "includeIf": []
      }
    },
    "caseInsensitiveFields": [
      "/access/http/request/headers",
      "/access/http/response/headers"
    ]
  },
  "eventHandlers": [
    {
      "class": "org.forgerock.audit.handlers.json.JsonAuditEventHandler",
      "config": {
        "name": "json",
        "logDirectory": "&{idm.data.dir}/audit",
        "buffering": {
          "maxSize": 100000,
          "writeInterval": "100 millis"
        },
        "topics": [
          "access",
          "activity",
          "recon",
          "sync",
          "authentication",
          "config"
        ]
      }
    }
    ...
  ],
  "eventTopics": {
    ...
  },
  "exceptionFormatter": {
    "type": "text/javascript",
    "file": "bin/defaults/script/audit/stacktraceFormatter.js"
  }
}

Multiple instance configuration objects are found under openidm/config/object-name/instance-name.

The following example shows the configuration for the CSV connector shown in the sync-with-csv sample. The output has been cropped for legibility:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 "http://localhost:8080/openidm/config/provisioner.openicf/csvfile"
{
  "_id": "provisioner.openicf/csvfile",
  "connectorRef": {
    "bundleName": "org.forgerock.openicf.connectors.csvfile-connector",
    "bundleVersion": "[1.5.19.0,1.6.0.0)",
    "connectorName": "org.forgerock.openicf.csvfile.CSVFileConnector"
  },
  "poolConfigOption": {
    "maxObjects": 10,
    "maxIdle": 10,
    "maxWait": 150000,
    "minEvictableIdleTimeMillis": 120000,
    "minIdle": 1
  },
  "operationTimeout": {
    "CREATE": -1,
    "VALIDATE": -1,
    "TEST": -1,
    "SCRIPT_ON_CONNECTOR": -1,
    "SCHEMA": -1,
    "DELETE": -1,
    "UPDATE": -1,
    "SYNC": -1,
    "AUTHENTICATE": -1,
    "GET": -1,
    "SCRIPT_ON_RESOURCE": -1,
    "SEARCH": -1
  },
  "configurationProperties": {
    "csvFile": "&{idm.instance.dir}/data/csvConnectorData.csv"
  },
  "resultsHandlerConfig": {
    "enableAttributesToGetSearchResultsHandler": true
  },
  "syncFailureHandler": {
    "maxRetries": 5,
    "postRetryAction": "logged-ignore"
  },
  "objectTypes": {
    ...
  },
  "operationOptions": {}
}

You can change the configuration over REST by using an HTTP PUT or HTTP PATCH request to modify the required configuration object.

The following example uses a PUT request to modify the configuration of the scheduler service, increasing the maximum number of threads that are available for the concurrent execution of scheduled tasks:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --header "Content-Type: application/json" \
 --request PUT \
 --data '{
    "threadPool": {
        "threadCount": 20
    },
    "scheduler": {
        "executePersistentSchedules": {"$bool" : "&{openidm.scheduler.execute.persistent.schedules}"
    }
}' \
 "http://localhost:8080/openidm/config/scheduler"
{
  "_id": "scheduler",
  "threadPool": {
    "threadCount": 20
  },
  "scheduler": {
    "executePersistentSchedules": {
      "$bool": "&{openidm.scheduler.execute.persistent.schedules}"
    }
  }
}

The following example uses a PATCH request to reset the number of threads to their original value.

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --header "Content-Type: application/json" \
 --request PATCH \
 --data '[
    {
      "operation" : "replace",
      "field" : "/threadPool/threadCount",
      "value" : 10
    }
 ]' \
 "http://localhost:8080/openidm/config/scheduler"
{
  "_id": "scheduler",
  "threadPool": {
    "threadCount": 10
  },
  "scheduler": {
    "executePersistentSchedules": {
      "$bool": "&{openidm.scheduler.execute.persistent.schedules}"
    }
  }
}

Note

Multi-version concurrency control (MVCC) is not supported for configuration objects so you do not need to specify a revision during updates to the configuration, and no revision is returned in the output.

For more information about using the REST API to update objects, see "REST API Reference".

7.6. Using Property Value Substitution

In an environment where you have more than one IDM instance, you might require a configuration that is similar, but not identical, across the different instances.

Property value substitution lets you achieve the following:

Define a configuration that is specific to a single instance, for example, setting the location of the keystore on a particular host.
Define a configuration whose parameters vary between different environments, for example, the URLs and passwords for test, development, and production environments.
Disable certain capabilities on specific nodes. For example, you might want to disable the workflow engine on specific instances.

Property value substitution uses configuration expressions to introduce variables into the server configuration. You set configuration expressions as the values of configuration properties. The effective property values can be evaluated in a number of ways. For more information about property evaluation, see "Expression Evaluation and Order of Precedence".

Configuration expressions have the following characteristics:

To distinguish them from static values, configuration expressions are preceded by an ampersand and enclosed in braces. For example: &{openidm.port.http}. The configuration token in the example is openidm.port.http. The . serves as the separator character.
You can use a default value in a configuration expression by including it after a vertical bar following the token.
For example, the following expression sets the default HTTP port value to 8080: &{openidm.port.http|8080}.
With this configuration, the server attempts to substitute openidm.port.http with a defined configuration token. If no token definition is found, the server uses the default, 8080.
A configuration property can include a mix of static values and expressions.
For example, suppose hostname is set to ds. Then &{hostname}.example.com evaluates to ds.example.com.
Configuration token evaluation is recursive.
For example, suppose port is set to &{port.prefix}389, and port.prefix is set to 2. Then &{port} evaluates to 2389.

You can define nested properties (that is a property definition within another property definition) and you can combine system properties, boot properties, and environment variables.

Important

Property substitution is not available for any configuration not processed by the IDM backend, such as ui-themeconfig or any user-supplied configuration.

7.6.1. Expression Evaluation and Order of Precedence

At server startup, expression resolvers evaluate property values to determine the effective configuration. You must define expression values before you start the IDM server that uses them.

When configuration tokens are resolved, the result is always a string. However, you can coerce the output type of the evaluated token to match the type that is required by the property. Ultimately, the expression must return the appropriate data type for the configuration property. For example, the port property takes an integer. If you set it using an expression, the result of the evaluated expression must be an integer. If the type is wrong, the server fails to start due to a syntax error. For more information about data type coercion, see "Transforming Data Types".

Expression resolvers can obtain values from the following sources:

Environment variables
You set an environment variable to hold the property value.
For example: export OPENIDM_PORT_HTTP=8080
The environment variable name must be composed of uppercase characters and underscores. The name maps to the expression token as follows:
- Uppercase characters are lower cased.
- Underscores, _, are replaced with . characters.
In other words, the value of OPENIDM_PORT_HTTP replaces &{openidm.port.http} in the server configuration.
Java system properties
You set a Java system property to hold the value.
Java system property names must match expression tokens exactly. In other words, the value of the openidm.repo.port system property replaces &{openidm.repo.port} in the server configuration.
Java system properties can be set in a number of ways. One way of setting system properties for IDM servers is to pass them through the OPENIDM_OPTS environment variable.
For example: export OPENIDM_OPTS="-Dopenidm.repo.port=3306"
System properties can also be declared in your project's conf/system.properties.
The following example uses property value substitution with a standard system property. The example modifies the audit configuration, changing the audit.json file to redirect JSON audit logs to the user's home directory. The user.home property is a default Java System property:
```
"eventHandlers" : [
     {
         "class" : "org.forgerock.audit.handlers.json.JsonAuditEventHandler",
         "config" : {
             "name" : "json",
             "logDirectory" : "&{user.home}/audit",
             ...
         }
     },
 ... 
```
Expression files
You set a key in a .json or .properties file to hold the value. To use an expression file, set the IDM_ENVCONFIG_DIRS environment variable, or the idm.envconfig.dirs Java system property as described below. By default, IDM sets idm.envconfig.dirs to &{idm.install.dir}/resolver/.
The default property resolver file in IDM is resolver/boot.properties but you can specify additional files that might hold property values.
Keys in .properties files must match expression tokens exactly. In other words, the value of the openidm.repo.port key replaces &{openidm.repo.port} in the server configuration.
The following example expression properties file sets the repository port:
```
openidm.repo.port=1389
```
JSON expression files can contain nested objects.
JSON field names map to expression tokens as follows:
- The JSON path name matches the expression token.
- The . character serves as the JSON path separator character.
The following example JSON expression file uses property value substitution to set the host in the LDAP connector configuration:
```
{
   "openidm" : {
     "provisioner" : {
       "ldap" : {
         "host" : "ds.example.com"
         }
       }
     }
   }
 }
```
To substitute this value in the configuration, the LDAP provisioner file would include the following:
```
{
   ...
   "configurationProperties" : {
     "host" : &{openidm.provisioner.ldap.host|localhost},
     ...
   }
 }
```
If the server does not find a configuration token for the host name, it substitutes the default (localhost).
To use expression files, set the environment variable, IDM_ENVCONFIG_DIRS, or the Java system property, idm.envconfig.dirs, to a comma-separated list of the directories containing the expression files.
When reading these files, the server browses the directories in the order specified. It reads all the files with .json and .properties extensions, and attempts to use them to evaluate expression tokens.
For example, if you define idm.envconfig.dirs=/directory1,/directory2 and a configuration token is defined in both directory1 and directory2, the resolved value will be the value defined in directory1. If the configuration token is defined only in directory2, the resolved value will be the value defined in directory2.
Note the following constraints when using expression files:
- Although IDM scans the directories in a specified order, within a directory IDM scans the files in a nondeterministic order.
- IDM does not scan subdirectories.
- Do not define the same configuration token more than once in a file.
  If you define the same property twice in the same file, one definition will be used and the other will be ignored. The server will not throw an error, but because files are scanned in a nondeterministic order, you have no way of knowing which value will be used.
- You cannot define the same configuration token in more than one file in a single directory. The server generates an error in this case.
  Important
  This constraint implies that you cannot have backup .properties and .json files, in a single directory if they define the same tokens.
- If the same token occurs once in several files that are located in different directories, IDM uses the first value that is read.
Framework configuration properties
You can use the conf/config.properties file to override values used by the OSGI framework.
Configuration files
All the properties declared in the .json files in your project's conf/ directory.

The preceding list reflects the order of precedence:

Environment variables override system properties, default token settings, and settings in expression files.
System properties override default token settings, and any settings in expression files.
Default token settings.
If IDM_ENVCONFIG_DIRS or idm.envconfig.dirs is set, the server uses the settings found in expression files.
Framework configuration properties
Hardcoded property values

7.6.2. Transforming Data Types

When configuration tokens are resolved, the result is always a string. However, you can transform the output type of the evaluated token to match the type that is required by the property.

The following example JSON expression file sets the value of the port in the LDAP connector configuration:

{
   "openidm" : {
     "provisioner" : {
       "ldap" : {
         "port" : 6389
       }
     }
   }
 }

When this expression is evaluated, the port would be evaluated as a string value, which would cause an error. To coerce the port value to an integer, you would substitute the value in the LDAP provisioner file as follows:

{
   ...
   "configurationProperties" : {
     "port" : {
       "$int" : "&{openidm.provisioner.ldap.port|1389}",
     ...
   }
 }

With this configuration, the server evaluates the LDAP port property to the integer 6389. If the server does not find a configuration token for the port, it substitutes the default (1389).

The following coercion types are supported:

integer ($int)
number ($number)
This type can coerce integers, doubles, longs, and floats.
boolean ($bool)
array ($array)
object ($object)
This type can coerce a JSON object such as an encrypted password.
decodeBase64 ($base64:decode)
Transforms a base64-encoded string into a decoded string.
encodeBase64 ($base64:encode)
Transforms a string into a base64-encoded string.

7.6.3. Limitations of Property Value Substitution

The work you've done to set up property value substitution is limited; different rules apply in the following areas:

"Property Value Substitution in the Admin UI"
"Property Value Substitution for Connectors"

7.6.3.1. Property Value Substitution in the Admin UI

Support for property value substitution in the Admin UI is limited to the following categories:

String substitution, where &{some.property|DefaultValue}
Number and integer substitution, including:
- "$number" : "&{openidm.port|1234}"
- "$int" : "&{openidm.port|5678}"
Base64 substitution, such as: "$base64:decode" : "&{openidm.felix.web.console.password|YWRtaW4=}"
Cryptographic substitution, where for passwords and client secrets, IDM substitutes "********" for $crypto

7.6.3.2. Property Value Substitution for Connectors

You cannot use property substitution for connector reference (connectorRef) properties. For example, the following configuration would not be valid:

"connectorRef" : {
    "connectorName" : "&{connectorName}",
    "bundleName" : "org.forgerock.openicf.connectors.ldap-connector",
    "bundleVersion" : "&{LDAP.BundleVersion}"
    ...
}

The "connectorName" must be the precise string from the connector configuration. If you need to specify multiple connector version numbers, use a range of versions, for example:

"connectorRef" : {
    "connectorName" : "org.identityconnectors.ldap.LdapConnector",
    "bundleName" : "org.forgerock.openicf.connectors.ldap-connector",
    "bundleVersion" : "[1.5.19.0,1.6.0.0)",
    ...
}

7.6.3.3. Property Value Substitution and the Repository

Configuration fields that use property substitution are stored in the repository as variables. You'll need to store the actual values of each variable in *.properties files.

You can use different *.properties files to vary the configuration for multiple nodes in a cluster.

The properties in the following table can be set through environment variables and more. They're evaluated during the IDM start process, as defined:

Configuration Property Variables

Variable	Description	Environment Variables	System Variables	`boot.properties`
`idm.install.dir`	Directory of files from unpacked IDM binary	X	X	X
`idm.data.dir`	Working location directory	X	X	X
`idm.instance.dir`	Project directory with IDM configuration files	X	X	X
`idm.envconfig.dirs`	Directory with environment files, including `boot.properties`	X	X

In contrast, configuration properties that are explicitly set in project-dir/conf/*.json files are stored in the repository. You can manage these configuration objects by using the REST interface or by using the JSON files themselves. Most aspects of the configuration can also be managed by using the Admin UI, as described in "Configuring the Server from the Admin UI".

You can access configuration properties in scripts using identityServer.getProperty(). For more information, see "The identityServer Variable".

7.7. Setting the Script Configuration

The script configuration file (conf/script.json) lets you modify the parameters that are used when compiling, debugging, and running JavaScript and Groovy scripts.

The default script.json file includes the following parameters:

properties

Any custom properties that should be provided to the script engine.

ECMAScript

Specifies JavaScript debug and compile options. JavaScript is an ECMAScript language.

javascript.debug - the JavaScript debugging configuration. By default this is set to the value of the openidm.script.javascript.debug property in IDM's resolver/boot.properties file.
javascript.recompile.minimumInterval - minimum time after which a script can be recompiled.
The default value is 60000, or 60 seconds. This means that any changes made to scripts will not get picked up for up to 60 seconds. If you are developing scripts, reduce this parameter to around 100 (100 milliseconds).
If you set the javascript.recompile.minimumInterval to -1, or remove this property from the script.json file, IDM does not poll JavaScript files to check for changes.

Groovy

Specifies compilation and debugging options related to Groovy scripts. Many of these options are commented out in the default script configuration file. Remove the comments to set these properties:

groovy.warnings - the log level for Groovy scripts. Possible values are none, likely, possible, and paranoia.
groovy.source.encoding - the encoding format for Groovy scripts. Possible values are UTF-8 and US-ASCII.
groovy.target.directory - the directory to which compiled Groovy classes will be output. The default directory is install-dir/classes.
groovy.target.bytecode - the bytecode version that is used to compile Groovy scripts. The default version is 1.5.
groovy.classpath - the directory in which the compiler should look for compiled classes. The default classpath is install-dir/lib.
To call an external library from a Groovy script, you must specify the complete path to the .jar file or files, as a value of this property. For example:
```
"groovy.classpath" : "/&{idm.install.dir}/lib/http-builder-0.7.1.jar:
         /&{idm.install.dir}/lib/json-lib-2.3-jdk15.jar:
         /&{idm.install.dir}/lib/xml-resolver-1.2.jar:
         /&{idm.install.dir}/lib/commons-collections-3.2.1.jar",
```
Note
If you're deploying on Microsoft Windows, use a semicolon (;) instead of a colon to separate directories in the groovy.classpath.
groovy.output.verbose - specifies the verbosity of stack traces. Boolean, true or false.
groovy.output.debug - specifies whether debugging messages are output. Boolean, true or false.
groovy.errors.tolerance - sets the number of non-fatal errors that can occur before a compilation is aborted. The default is 10 errors.
groovy.script.extension - specifies the file extension for Groovy scripts. The default is .groovy.
groovy.script.base - defines the base class for Groovy scripts. By default any class extends groovy.lang.Script.
groovy.recompile - indicates whether scripts can be recompiled. Boolean, true or false, with default true.
groovy.recompile.minimumInterval - sets the minimum time between which Groovy scripts can be recompiled.
The default value is 60000, or 60 seconds. This means that any changes made to scripts will not get picked up for up to 60 seconds. If you are developing scripts, reduce this parameter to around 100 (100 milliseconds).
groovy.target.indy - specifies whether a Groovy indy test can be used. Boolean, true or false, with default true.
groovy.disabled.global.ast.transformations - specifies a list of disabled Abstract Syntax Transformations (ASTs).

sources

Specifies the locations in which IDM expects to find JavaScript and Groovy scripts that are referenced in the configuration.

The following excerpt of the script.json file shows the default locations:

...
"sources" : {
    "default" : {
        "directory" : "&{idm.install.dir}/bin/defaults/script"
    },
    "install" : {
        "directory" : "&{idm.install.dir}"
    },
    "project" : {
        "directory" : "&{idm.instance.dir}"
    },
    "project-script" : {
        "directory" : "&{idm.instance.dir}/script"
    }
...

Note

The order in which locations are listed in the sources property is important. Scripts are loaded from the bottom up in this list, that is, scripts found in the last location on the list are loaded first.

Note

By default, debug information (such as file name and line number) is excluded from JavaScript exceptions. To troubleshoot script exceptions, you can include debug information by changing the following setting to true in IDM's resolver/boot.properties file:

javascript.exception.debug.info=false

Including debug information in a production environment is not recommended.

7.8. Calling a Script From a Configuration File

You can call a script from within a configuration file by providing the script source, or by referencing a file that contains the script source. For example:

{
    "type" : "text/javascript",
    "source": string
}

or

{
    "type" : "text/javascript",
    "file" : file location
}

type

string, required

Specifies the type of script to be executed. Supported types include text/javascript, and groovy.

source

string, required if file is not specified

Specifies the source code of the script to be executed.

file

string, required if source is not specified

Specifies the file containing the source code of the script to execute.

The file path must be relative to the project-dir. Full file paths are not supported.

The following sample excerpts from configuration files indicate how scripts can be called.

The following example (included in the sync.json file) returns true if the employeeType is equal to external, otherwise returns false. This script can be useful during reconciliation to establish whether a target object should be included in the reconciliation process, or should be ignored:

"validTarget": {
    "type" : "text/javascript",
    "source": "target.employeeType == 'external'"
}

The following example (included in the sync.json file) sets the __PASSWORD__ attribute to defaultpwd when IDM creates a target object:

"onCreate" : {
    "type" : "text/javascript",
    "source": "target.__PASSWORD__ = 'defaultpwd'"
}

The following example (included in the router.json file) shows a trigger to create Solaris home directories using a script. The script is located in the file, project-dir/script/createUnixHomeDir.js:

{
    "filters" : [ {
        "pattern" : "^system/solaris/account$",
        "methods" : [ "create" ],
        "onResponse" : {
            "type" : "text/javascript",
            "file" : "script/createUnixHomeDir.js"
        }
    } ]
}

Often, script files are reused in different contexts. You can pass variables to your scripts to provide these contextual details at runtime. You pass variables to the scripts that are referenced in configuration files by declaring the variable name in the script reference.

The following example of a scheduled task configuration calls a script named triggerEmailNotification.js. The example sets the sender and recipient of the email in the schedule configuration, rather than in the script itself:

{
    "enabled" : true,
    "type" : "cron",
    "schedule" : "0 0/1 * * * ?",
    "persisted" : true,
    "invokeService" : "script",
    "invokeContext" : {
        "script": {
            "type" : "text/javascript",
            "file" : "script/triggerEmailNotification.js",
            "fromSender" : "admin@example.com",
            "toEmail" : "user@example.com"
        }
    }
}

Tip

In general, you should namespace variables passed into scripts with the globals map. Passing variables in this way prevents collisions with the top-level reserved words for script maps, such as file, source, and type. The following example uses the globals map to namespace the variables passed in the previous example.

"script": {
    "type" : "text/javascript",
    "file" : "script/triggerEmailNotification.js",
    "globals" : {
        "fromSender" : "admin@example.com",
        "toEmail" : "user@example.com"
    }
}

Script variables are not necessarily simple key:value pairs. A script variable can be any arbitrarily complex JSON object.

7.9. Configuring HTTP Clients

Several IDM modules, such as the external REST service and identity provider service, need to make HTTP(S) requests to external systems.

HTTP client settings can be configured through any expression resolver (in resolver/boot.properties, environment variables, or Java system properties). Configuration for specific clients can be set in that client's JSON configuration file. For example conf/external.rest.json configures the external REST service and properties set there override the expression resolvers. For more information on property resolution, see "Expression Evaluation and Order of Precedence".

You can set the following properties for HTTP clients:

openidm.http.client.sslAlgorithm

The cipher to be used when making SSL/TLS connections, for example, AES, CBC, or PKCS5Padding. Defaults to the system SSL algorithm.

openidm.http.client.socketTimeout

The TCP socket timeout, in seconds, when waiting for HTTP responses. The default timeout is 10 seconds.

openidm.http.client.connectionTimeout

The TCP connection timeout for new HTTP connections, in seconds. The default timeout is 10 seconds.

openidm.http.client.reuseConnections (true or false)

Specifies whether HTTP connections should be kept alive and reused for additional requests. By default, connections will be reused if possible.

openidm.http.client.retryRequests (true or false)

Specifies whether requests should be retried if a failure is detected. By default requests will be retried.

openidm.http.client.maxConnections (integer)

The maximum number of connections that should be pooled by the HTTP client. At most 64 connections will be pooled by default.

openidm.http.client.hostnameVerifier (string)

Specifies whether the client should check that the hostname to which it has connected is allowed by the certificate that is presented by the server.

The property can take the following values:

STRICT - hostnames are validated
ALLOW_ALL - the external REST service does not attempt to match the URL hostname to the SSL certificate Common Name, as part of its validation process

If you do not set this property, the behavior is to validate hostnames (the equivalent of setting "hostnameVerifier": "STRICT"). In production environments, you should set this property to STRICT.

openidm.http.client.proxy.uri

Specifies that the client should make its HTTP(S) requests through the specified proxy server.

openidm.http.client.proxy.userName

The username of the account for the specified proxy.

openidm.http.client.proxy.password

The password of the account for the specified proxy.

openidm.http.client.proxy.useSystem (true or false)

If true>, specifies a system-wide proxy with the JVM system properties, http.proxyHost, http.proxyPort, and (optionally) http.nonProxyHosts.

If openidm.http.client.proxy.uri is set, and not empty, that setting overrides the system proxy setting.

Chapter 8. Accessing Data Objects

IDM supports a variety of objects that can be addressed via a URL or URI. You can access data objects by using scripts (through the Resource API) or by using direct HTTP calls (through the REST API).

The following sections describe these two methods of accessing data objects, and provide information on constructing and calling data queries.

8.1. Accessing Data Objects By Using Scripts

IDM's uniform programming model means that all objects are queried and manipulated in the same way, using the Resource API. The URL or URI that is used to identify the target object for an operation depends on the object type. For an explanation of object types, see "Data Models and Objects Reference". For more information about scripts and the objects available to scripts, see "Scripting Reference".

You can use the Resource API to obtain managed, system, configuration, and repository objects, as follows:

val = openidm.read("managed/organization/mysampleorg")
val = openidm.read("system/mysystem/account")
val = openidm.read("config/custom/mylookuptable")
val = openidm.read("repo/custom/mylookuptable")

For information about constructing an object ID, see "URI Scheme".

You can update entire objects with the update() function, as follows:

openidm.update("managed/organization/mysampleorg", rev, object)
openidm.update("system/mysystem/account", rev, object)

You can apply a partial update to a managed or system object by using the patch() function:

openidm.patch("managed/organization/mysampleorg", rev, value)

The create(), delete(), and query() functions work the same way.

8.2. Accessing Data Objects By Using the REST API

IDM provides RESTful access to data objects through the ForgeRock Common REST API. To access objects over REST, you can use a browser-based REST client, such as the Simple REST Client for Chrome, or RESTClient for Firefox. Alternatively you can use the curl command-line utility.

For a comprehensive overview of the REST API, see "REST API Reference".

To obtain a managed object through the REST API, depending on your security settings and authentication configuration, perform an HTTP GET on the corresponding URL, for example http://localhost:8080/openidm/managed/organization/mysampleorg.

By default, the HTTP GET returns a JSON representation of the object.

In general, you can map any HTTP request to the corresponding openidm.method call. The following example shows how the parameters provided in an openidm.query request correspond with the key-value pairs that you would include in a similar HTTP GET request:

Reading an object using the Resource API:

openidm.query("managed/user", { "_queryId": "query-all" }, ["userName","sn"])

Reading an object using the REST API:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 "http://localhost:8080/openidm/managed/user?_queryId=query-all&_fields=userName,sn"

8.3. Defining and Calling Queries

An advanced query model lets you define queries and to call them over the REST or Resource API. Three types of queries are supported, on both managed, and system objects:

Common filter expressions
Parameterized, or predefined queries
Native query expressions

Each of these mechanisms is discussed in the following sections.

Tip

For limits on queries in progressive profiling, see "Custom Progressive Profile Conditions".

8.3.1. Common Filter Expressions

The ForgeRock REST API defines common filter expressions that enable you to form arbitrary queries using a number of supported filter operations. This query capability is the standard way to query data if no predefined query exists, and is supported for all managed and system objects.

Common filter expressions are useful in that they do not require knowledge of how the object is stored and do not require additions to the repository configuration.

Common filter expressions are called with the _queryFilter keyword. The following example uses a common filter expression to retrieve managed user objects whose user name is Smith:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 'http://localhost:8080/openidm/managed/user?_queryFilter=userName+eq+"smith"'

The filter is URL encoded in this example. The corresponding filter using the resource API would be:

openidm.query("managed/user", { "_queryFilter" : '/userName eq "smith"' });

Note that, this JavaScript invocation is internal and is not subject to the same URL-encoding requirements that a GET request would be. Also, because JavaScript supports the use of single quotes, it is not necessary to escape the double quotes in this example.

For a list of supported filter operations, see "Constructing Queries".

Note

Using common filter expressions to retrieve values from arrays is currently not supported. If you need to search within an array, set up a predefined (parameterized) query in your repository configuration. For more information, see "Parameterized Queries".

8.3.2. Parameterized Queries

Managed objects in the supported repositories can be accessed using a parameterized query mechanism. Parameterized queries on repositories are defined in the repository configuration (repo.*.json) and are called by their _queryId.

Parameterized queries provide precise control over the query that is executed. Such control might be useful for tuning, or for performing database operations such as aggregation (which is not possible with a common filter expression.)

Parameterized queries provide security and portability for the query call signature, regardless of the backend implementation. Queries that are exposed over the REST interface must be parameterized queries to guard against injection attacks and other misuse. Queries on the officially supported repositories have been reviewed and hardened against injection attacks.

For system objects, support for parameterized queries is restricted to _queryId=query-all-ids. There is currently no support for user-defined parameterized queries on system objects. Typically, parameterized queries on system objects are not called directly over the REST interface, but are issued from internal calls, such as correlation queries.

A typical query definition is as follows:

"query-all-ids" : "SELECT objectid FROM ${_dbSchema}.${_table} LIMIT ${int:_pageSize} OFFSET ${int:_pagedResultsOffset}",

To call this query, you would reference its ID, as follows:

?_queryId=query-all-ids

The following example calls query-all-ids over the REST interface:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 "http://localhost:8080/openidm/managed/user?_queryId=query-all-ids"

Note

In repo.jdbc.json, the queries configuration object has a property, validInRelationshipQuery, which is an array specifying the query IDs of queries that make use of relationships. If you create additional queries that you expect to use as part of a relationship query, be sure to add the query ID to this array. If no query IDs are specified or the property is missing, relationship information will not be returned in query results, even if requested. For more information about relationships, see "Managing Relationships Between Objects".

8.3.3. Native Query Expressions

Native query expressions are supported for all managed objects and system objects, and can be called directly, rather than being defined in the repository configuration.

Native queries are intended specifically for internal callers, such as custom scripts, and should be used only in situations where the common filter or parameterized query facilities are insufficient. For example, native queries are useful if the query needs to be generated dynamically.

The query expression is specific to the target resource. For repositories, queries use the native language of the underlying data store. For system objects that are backed by ICF connectors, queries use the applicable query language of the system resource.

Important

Native query expressions are not supported with the default DS repository.

Native queries on the repository are made using the _queryExpression keyword. For example:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 "http://localhost:8080/openidm/managed/user?_queryExpression=select+*+from+managed_user"

Unless you have specifically enabled native queries over REST, the previous command returns a 403 access denied error message. Native queries are not portable and do not guard against injection attacks. Such query expressions should therefore not be used or made accessible over the REST interface or over HTTP in production environments. They should be used only via the internal Resource API. If you want to enable native queries over REST for development, see "Protecting Sensitive REST Interface URLs".

Alternatively, if you really need to expose native queries over HTTP, in a selective manner, you can design a custom endpoint to wrap such access.

8.3.4. Constructing Queries

The openidm.query function lets you query managed and system objects. The query syntax is openidm.query(id, params), where id specifies the object on which the query should be performed and params provides the parameters that are passed to the query, either _queryFilter or _queryId. For example:

var params = {
    '_queryFilter' : 'givenName co "' + sourceCriteria + '" or ' + 'sn co "' + sourceCriteria + '"'
};
var results = openidm.query("system/ScriptedSQL/account", params)

Over the REST interface, the query filter is specified as _queryFilter=filter, for example:

$ curl \
 --header "X-OpenIDM-Username: openidm-admin" \
 --header "X-OpenIDM-Password: openidm-admin" \
 --request GET \
 'http://localhost:8080/openidm/managed/user?_queryFilter=userName+eq+"Smith"'

Note the use of double-quotes around the search term: Smith. In _queryFilter expressions, string values must use double-quotes. Numeric and boolean expressions should not use quotes.

When called over REST, you must URL encode the filter expression. The following examples show the filter expressions using the resource API and the REST API, but do not show the URL encoding, to make them easier to read.

Note that, for generic mappings, any fields that are included in the query filter (for example userName in the previous query), must be explicitly defined as searchable, if you have set the global searchableDefault to false. For more information, see "Improving Generic Mapping Search Performance (JDBC)".

The filter expression is constructed from the building blocks shown in this section. In these expressions the simplest json-pointer is a field of the JSON resource, such as userName or id. A JSON pointer can, however, point to nested elements.

Note

You can also use the negation operator (!) in query construction. For example, a _queryFilter=!(userName+eq+"jdoe") query would return every userName except for jdoe.

You can set up query filters with the following expression types:

8.3.4.1. Comparison Expressions

Equal queries (see "Querying Objects That Equal a Specified Value")
Contains queries (see "Querying Objects That Contain a Specified Value")
Starts with queries (see "Querying Objects That Start With a Specified Value")
Less than queries (see "Querying Objects That Are Less Than a Specified Value")
Less than or equal to queries (see "Querying Objects That Are Less Than or Equal to a Specified Value")
Greater than queries (see "Querying Objects That Are Greater Than a Specified Value")
Greater than or equal to queries (see "Querying Objects That Are Greater Than or Equal to a Specified Value")

Note

Certain system endpoints also support EndsWith and ContainsAllValues queries. However, such queries are not supported for managed objects and have not been tested with all supported ICF connectors.