Authenticate through AM
From IDM 7.0 onwards, using AM bearer tokens for authentication is the only supported method of integrating IDM with AM. |
ForgeRock Access Management (AM) is a product that provides an infrastructure for managing users, roles, and access to resources. When you use IDM and AM together in a platform deployment, you must configure IDM to use AM bearer tokens for authentication. This delegates all authentication to AM. In this configuration:
-
IDM uses an
rsFilter
that replaces all other authentication methods. -
All IDM endpoints that require authentication are accessed using an authorization header that contains the bearer token, instead of
X-OpenIDM-Username
andX-OpenIDM-Password
. Endpoints that allow anonymous access can be accessed without a token.
To use AM bearer tokens for authentication, your AM configuration must include at least the following configuration:
-
Two OAuth 2.0 clients: an
idm-resource-server
client to introspect the bearer token and anidm-provisioning
client used by AM to provision users in IDM. For information on configuring these clients, refer to Configure OAuth Clients (separate identity stores) or Configure OAuth Clients (shared identity store) in the sample platform deployments. -
An OAuth 2 provider service (separate identity stores) or OAuth 2 provider service (shared identity store).
-
An IDM provisioning service (separate identity stores) or IDM provisioning service (shared identity store).
Your IDM authentication configuration must include the rsFilter
configuration and no other authentication methods.
The rsFilter
configuration includes the following properties:
clientId
-
The client ID of the AM OAuth 2.0 client used to introspect the bearer token (the
idm-resource-server
) client, in this example). clientSecret
-
The client secret of the AM OAuth 2.0 client used to introspect the bearer token. IDM encrypts this field if it isn’t already.
tokenIntrospectUrl
-
The URI to reach the
oauth2/introspect
endpoint in AM; for example,http://am.example:8080/openam/oauth2/introspect
. scopes
-
Any scopes required to be present in the access token. This varies depending on your configuration. For more information about scopes, refer to OAuth 2.0 Scopes in the AM OAuth 2.0 Guide.
cache
-
Sets the
maxTimeout
, in seconds, after which the token is removed from the cache. augmentSecurityContext
-
Specifies a script that is executed only after a successful authentication request. The script helps to populate the expected security context. For more information, refer to The
augmentSecurityContext
trigger.You can disable execution of the script for anonymous and static user mappings using the executeAugmentationScript
property. Doing so can improve IDM’s performance for user mappings where it’s not necessary to run the script. subjectMapping
-
An array of mappings that let you map AM realms to IDM managed object types. For example:
"subjectMapping" : [ { "resourceTypeMapping" : { "usr" : "managed/user" }, "propertyMapping" : { "sub" : "_id" }, "userRoles" : "authzRoles/*", "additionalUserFields" : [ "adminOfOrg", "ownerOfOrg" ], "defaultRoles" : [ "internal/role/openidm-authorized" ] } ],
Each
subjectMapping
includes the following properties:-
Either a
resourceTypeMapping
or aqueryOnResource
property:-
resourceTypeMapping
: Maps the identity type of a subject claim in AM to a resource collection in IDM. In the access token, the subject claim is a compound identity that consists of the claimtype
and subject name, separated by a!
.To use a
resourceTypeMapping
, unique Oauth2 subject claims must be enabled in AM. (From AM 7.1, these are enabled by default.) For more information about subject claims, refer to About the Subject and the Subname Claims in the section on /oauth2/userinfo. -
queryOnResource
: The IDM resource to check for the authenticating user; for example,managed/user
.If your AM and IDM deployments use consistent realm and managed object naming, you can configure the
resourceTypeMapping
and thequeryOnResource
properties to let a single subject mapping match multiple realms. This uses a dynamic handlebars template, as in the following example:Example configuration"resourceTypeMapping" : { "usr" : "managed/{{substring realm 1}}" }
This configuration lets an access token with the realm
employee
map to an IDMmanaged/employee
, and an access token with the realmcontractor
map to an IDMmanaged/contractor
.
-
-
realm
: The AM realm to which this subject mapping applies. A value of/
specifies the top-level realm. If this property is absent, the mapping can apply to any realm, which is useful if theresourceTypeMapping
orqueryOnResource
uses a dynamic handlebars template.You cannot have more than one mapping for the same realm, and you cannot have more than one mapping that has no
realm
in the configuration. -
propertyMapping
: Maps fields in the AM access token to properties in IDM. This mapping is used to construct the query filter that locates the authenticating user. The default configuration maps the subject (sub
) in the access token to the_id
in IDM. -
userRoles
: Determines the field to consult for locating the authorization roles; usuallyauthzRoles
, unless you have changed how user roles are stored. This field must be a relationship field. IDM uses the_refId
from the array elements to populate the user roles in the security context. -
additionalUserFields
: Determines the field to consult for locating the authorization roles; usuallyauthzRoles
, unless you have changed how user roles are stored. This field must be a relationship field. IDM uses the_refId
from the array elements to populate the user roles in the security context. -
defaultRoles
: The default roles that should be applied to a user who authenticates using thersFilter
.
Although you can configure an array of subject mappings, only one mapping is selected and used during the authentication process. If there is a
realm
attribute in the access token, that realm is used to select an appropriate mapping. If no mapping is defined for the access token’s realm, or if the realm is not provided in the access token, the authentication uses a mapping that does not define arealm
. -
staticUserMapping
-
Maps AM users to a matching IDM user. Can contain multiple user mappings, each with the following properties:
-
subject
of the access token (the AM user). If you have specified aresourceTypeMapping
, the static user mapping includes the full new subject string to match service accounts or static subject mappings, for example:"subject" : "(usr!amadmin)"
-
localUser
is the IDM user you want to associate with the AM user identified insubject
. For example, ifsubject
is set to(usr!amadmin)
, you can set the correspondinglocalUser
tointernal/user/openidm-admin
. -
roles
the default IDM roles that this mapped user has after they authenticate. -
executeAugmentationScript
: a boolean value. Whenfalse
, the scripts specified inaugmentSecurityContext
will not run for the user mapping.The
idm-provisioning
subject is a service account used by AM to provision users in IDM. You must include this subject in yourstaticUserMapping
, for example:{ "subject": "(age!idm-provisioning)", "localUser": "internal/user/idm-provisioning", "roles" : [ "internal/role/platform-provisioning" ] }
-
anonymousUserMapping
-
The default user used when no access token is included in the request. Contains the following:
-
localUser
: the IDM user resource referenced when no specific user is identified. For example,internal/user/anonymous
. -
roles
: the default roles the anonymous user has, usuallyinternal/role/openidm-reg
. -
executeAugmentationScript
: a boolean value. Whenfalse
, the scripts specified inaugmentSecurityContext
will not run for the user mapping.
-
Test authentication through AM
-
Obtain a bearer token from AM. For example:
curl \ --header "X-OpenAM-Username: amAdmin" \ --header "X-OpenAM-Password: password" \ --header "Accept-API-Version: resource=2.0, protocol=1.0" \ --request POST \ --data "grant_type=client_credentials" \ --data "client_id=idm-provisioning" \ --data "client_secret=openidm" \ --data "scope=fr:idm:*" \ "http://am.example.com:8080/am/oauth2/realms/root/access_token" { "access_token": "z4uKDWiv4wnxKY7OjeG04PujG8E", "scope": "fr:idm:*", "token_type": "Bearer", "expires_in": 3599 }
-
Authenticate to IDM using that bearer token:
curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer z4uKDWiv4wnxKY7OjeG04PujG8E" \ 'http://localhost:8080/openidm/info/login' { "_id": "login", "authenticationId": "idm-provisioning", "authorization": { "id": "idm-provisioning", "roles": [ "internal/role/platform-provisioning" ], "component": "internal/user" } }
Refer to the sample platform setup documentation for instructions on setting up IDM to use AM bearer tokens for authentication.