Administrative Users

The default IDM administrative user is openidm-admin. In a production environment, you might want to replace this user with a managed or internal user with the same roles, specifically the openidm-admin and openidm-authorized roles.

You can create either an internal or managed user with the same roles as the default openidm-admin user. To add these roles to an existing managed user, see "Grant Internal Authorization Roles Manually". The following procedure creates a new administrative internal user (admin):

  1. Create an internal user:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --header "Content-Type: application/json" \
    --cacert ca-cert.pem \
    --request PUT \
    --data '{
      "password": "Passw0rd"
    }' \
    "https://localhost:8443/openidm/internal/user/admin"
    {
      "_id": "admin",
      "_rev": "00000000210f6746"
    }
  2. Add a STATIC_USER authentication module to the authentication configuration:

    Edit the conf/authentication.json file, and add the following:

    {
      "name" : "STATIC_USER",
      "properties" : {
        "queryOnResource" : "internal/user",
        "username" : "admin",
        "password" : "Passw0rd",
        "defaultUserRoles" : [
          "internal/role/openidm-authorized",
          "internal/role/openidm-admin"
        ]
      },
      "enabled" : true
    }
    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Content-Type: application/json" \
    --header "Accept-API-Version: resource=1.0" \
    --cacert ca-cert.pem \
    --request PATCH \
    --data '[
      {
        "operation": "add",
        "field": "/serverAuthContext/authModules/-",
        "value": {
          "name" : "STATIC_USER",
          "properties" : {
            "queryOnResource" : "internal/user",
            "username" : "admin",
            "password" : "Passw0rd",
            "defaultUserRoles" : [
              "internal/role/openidm-authorized",
              "internal/role/openidm-admin"
            ]
          },
          "enabled" : true
        }
      }
    ]' \
    "https://localhost:8443/openidm/config/authentication"
    {
      "_id": "authentication",
      "serverAuthContext": {
        ...
        "authModules": [
          ...
          {
            "name": "STATIC_USER",
            "properties": {
              "queryOnResource": "internal/user",
              "username": "admin",
              "password": "{encrypted password}",
              "defaultUserRoles": [
                "internal/role/openidm-authorized",
                "internal/role/openidm-admin"
              ]
            },
            "enabled": true
          },
          ...
        ]
      }
    }
  3. To verify the changes, perform a REST call or log in to the Admin UI as the new admin user. For example, query the list of internal users:

    curl \
    --header "X-OpenIDM-Username: admin" \
    --header "X-OpenIDM-Password: Passw0rd" \
    --header "Accept-API-Version: resource=1.0" \
    --cacert ca-cert.pem \
    --request GET \
    "https://localhost:8443/openidm/internal/user?_queryFilter=true"
    {
      "result": [
        {
          "_id": "admin",
          "_rev": "00000000f8e1665a"
        }
      ],
      ...
    }
  4. (Optional) After you have verified the new admin user, you can delete or disable the openidm-admin user:

    1. Delete the openidm-admin object:

      curl \
      --header "X-OpenIDM-Username: admin" \
      --header "X-OpenIDM-Password: Passw0rd" \
      --header "Accept-API-Version: resource=1.0" \
      --cacert ca-cert.pem \
      --request DELETE \
      "https://localhost:8443/openidm/internal/user/openidm-admin"
      {
        "_id": "openidm-admin",
        "_rev": "00000000210f6746"
      }
    2. Delete the authentication module for "username" : "openidm-admin":

      Edit the conf/authentication.json file, and delete:

      {
        "name" : "STATIC_USER",
        "properties" : {
          "queryOnResource" : "internal/user",
          "username" : "openidm-admin",
          "password" : "&{openidm.admin.password}",
          "defaultUserRoles" : [
            "internal/role/openidm-authorized",
            "internal/role/openidm-admin"
          ]
        },
        "enabled" : true
      }
      1. Get the current authentication configuration:

        curl \
        --header "X-OpenIDM-Username: openidm-admin" \
        --header "X-OpenIDM-Password: openidm-admin" \
        --header "Accept-API-Version: resource=1.0" \
        --cacert ca-cert.pem \
        --request GET \
        "https://localhost:8443/openidm/config/authentication"
        {
          "_id": "authentication",
          "serverAuthContext": {
            ...
            "authModules": [
              ...
              {
                "name": "STATIC_USER",
                "properties": {
                  "queryOnResource": "internal/user",
                  "username": "openidm-admin",
                  "password": "&{openidm.admin.password}",
                  "defaultUserRoles": [
                    "internal/role/openidm-authorized",
                    "internal/role/openidm-admin"
                  ]
                },
                "enabled": true
              },
              ...
            ]
          }
        }
      2. Remove the authentication module for "username" : "openidm-admin", and replace the authentication configuration:

        curl \
        --header "X-OpenIDM-Username: openidm-admin" \
        --header "X-OpenIDM-Password: openidm-admin" \
        --header "Accept-API-Version: resource=1.0" \
        --header "Content-Type: application/json" \
        --cacert ca-cert.pem \
        --request PUT \
        --data '{
          "_id": "authentication",
          "serverAuthContext": {
            "sessionModule": {
              "name": "JWT_SESSION",
              "properties": {
                "maxTokenLifeMinutes": 120,
                "tokenIdleTimeMinutes": 30,
                "sessionOnly": true,
                "isHttpOnly": true,
                "enableDynamicRoles": false
              }
            },
            "authModules": [
              {
                "name": "STATIC_USER",
                "properties": {
                  "queryOnResource": "internal/user",
                  "username": "anonymous",
                  "password": {
                    "$crypto": {
                      "type": "x-simple-encryption",
                      "value": {
                        "cipher": "AES/CBC/PKCS5Padding",
                        "stableId": "openidm-sym-default",
                        "salt": "xBlTp67ze4Ca5LTocXOpoA==",
                        "data": "mdibV6UabU2M+M5MK7bjFQ==",
                        "keySize": 16,
                        "purpose": "idm.config.encryption",
                        "iv": "36D2+FumKbaUsndNQ+/+5w==",
                        "mac": "ZM8GMnh0n80QwtSH6QsNmA=="
                      }
                    }
                  },
                  "defaultUserRoles": [
                    "internal/role/openidm-reg"
                  ]
                },
                "enabled": true
              },
              {
                "name": "STATIC_USER",
                "properties": {
                  "queryOnResource": "internal/user",
                  "username": "admin",
                  "password": "{encrypted password}",
                  "defaultUserRoles": [
                    "internal/role/openidm-authorized",
                    "internal/role/openidm-admin"
                  ]
                },
                "enabled": true
              },
              {
                "name": "MANAGED_USER",
                "properties": {
                  "augmentSecurityContext": {
                    "type": "text/javascript",
                    "source": "require('auth/customAuthz').setProtectedAttributes(security)"
                  },
                  "queryId": "credential-query",
                  "queryOnResource": "managed/user",
                  "propertyMapping": {
                    "authenticationId": "username",
                    "userCredential": "password",
                    "userRoles": "authzRoles"
                  },
                  "defaultUserRoles": [
                    "internal/role/openidm-authorized"
                  ]
                },
                "enabled": true
              },
              {
                "name": "SOCIAL_PROVIDERS",
                "properties": {
                  "defaultUserRoles": [
                    "internal/role/openidm-authorized"
                  ],
                  "augmentSecurityContext": {
                    "type": "text/javascript",
                    "globals": {},
                    "file": "auth/populateAsManagedUserFromRelationship.js"
                  },
                  "propertyMapping": {
                    "userRoles": "authzRoles"
                  }
                },
                "enabled": true
              }
            ]
          }
        }' \
        "https://localhost:8443/openidm/config/authentication"
    3. Prevent the openidm-admin user from being recreated on startup.

      Delete the following lines from the internal/user array in conf/repo.init.json:

      {
          "id" : "openidm-admin",
          "password" : "&{openidm.admin.password}"
      }

    Change the enabled state of the authentication module for "username" : "openidm-admin":

    Edit the conf/authentication.json file:

    {
      "name" : "STATIC_USER",
      "properties" : {
        "queryOnResource" : "internal/user",
        "username" : "openidm-admin",
        "password" : "&{openidm.admin.password}",
        "defaultUserRoles" : [
          "internal/role/openidm-authorized",
          "internal/role/openidm-admin"
        ]
      },
      "enabled" : false
    }
    1. Get the current authentication configuration:

      curl \
      --header "X-OpenIDM-Username: openidm-admin" \
      --header "X-OpenIDM-Password: openidm-admin" \
      --header "Accept-API-Version: resource=1.0" \
      --cacert ca-cert.pem \
      --request GET \
      "https://localhost:8443/openidm/config/authentication"
      {
        "_id": "authentication",
        "serverAuthContext": {
          ...
          "authModules": [
            ...
            {
              "name": "STATIC_USER",
              "properties": {
                "queryOnResource": "internal/user",
                "username": "openidm-admin",
                "password": "&{openidm.admin.password}",
                "defaultUserRoles": [
                  "internal/role/openidm-authorized",
                  "internal/role/openidm-admin"
                ]
              },
              "enabled": true
            },
            ...
          ]
        }
      }
    2. Change the enabled state of the authentication module for "username" : "openidm-admin", and replace the authentication configuration:

      curl \
      --header "X-OpenIDM-Username: openidm-admin" \
      --header "X-OpenIDM-Password: openidm-admin" \
      --header "Accept-API-Version: resource=1.0" \
      --header "Content-Type: application/json" \
      --cacert ca-cert.pem \
      --request PUT \
      --data '{
        "_id": "authentication",
        "serverAuthContext": {
          "sessionModule": {
            "name": "JWT_SESSION",
            "properties": {
              "maxTokenLifeMinutes": 120,
              "tokenIdleTimeMinutes": 30,
              "sessionOnly": true,
              "isHttpOnly": true,
              "enableDynamicRoles": false
            }
          },
          "authModules": [
            {
              "name": "STATIC_USER",
              "properties": {
                "queryOnResource": "internal/user",
                "username": "anonymous",
                "password": {
                  "$crypto": {
                    "type": "x-simple-encryption",
                    "value": {
                      "cipher": "AES/CBC/PKCS5Padding",
                      "stableId": "openidm-sym-default",
                      "salt": "xBlTp67ze4Ca5LTocXOpoA==",
                      "data": "mdibV6UabU2M+M5MK7bjFQ==",
                      "keySize": 16,
                      "purpose": "idm.config.encryption",
                      "iv": "36D2+FumKbaUsndNQ+/+5w==",
                      "mac": "ZM8GMnh0n80QwtSH6QsNmA=="
                    }
                  }
                },
                "defaultUserRoles": [
                  "internal/role/openidm-reg"
                ]
              },
              "enabled": true
            },
            {
              "name": "STATIC_USER",
              "properties": {
                "queryOnResource": "internal/user",
                "username": "openidm-admin",
                "password": "&{openidm.admin.password}",
                "defaultUserRoles": [
                  "internal/role/openidm-authorized",
                  "internal/role/openidm-admin"
                ]
              },
              "enabled": false
            },
            {
              "name": "MANAGED_USER",
              "properties": {
                "augmentSecurityContext": {
                  "type": "text/javascript",
                  "source": "require('auth/customAuthz').setProtectedAttributes(security)"
                },
                "queryId": "credential-query",
                "queryOnResource": "managed/user",
                "propertyMapping": {
                  "authenticationId": "username",
                  "userCredential": "password",
                  "userRoles": "authzRoles"
                },
                "defaultUserRoles": [
                  "internal/role/openidm-authorized"
                ]
              },
              "enabled": true
            },
            {
              "name": "SOCIAL_PROVIDERS",
              "properties": {
                "defaultUserRoles": [
                  "internal/role/openidm-authorized"
                ],
                "augmentSecurityContext": {
                  "type": "text/javascript",
                  "globals": {},
                  "file": "auth/populateAsManagedUserFromRelationship.js"
                },
                "propertyMapping": {
                  "userRoles": "authzRoles"
                }
              },
              "enabled": true
            }
          ]
        }
      }' \
      "https://localhost:8443/openidm/config/authentication"
Read a different version of :