Hide Unused REST Endpoints
The two main use cases for IDM are data synchronization and user self-service.
If you are using IDM only to synchronize data sources, do not expose the server externally. In this case, all connections are initiated by IDM.
If you are using IDM only for user self-service, ensure that the server is placed behind a firewall or proxy, such as ForgeRock Identity Gateway. At a minimum, hide the /admin
endpoint in the web interface via the proxy. Use the conf/access.json
file as a guide for proxy or firewall rules.
If you are using IDM for data synchronization and user self-service, it is preferable to run two IDM servers or clusters, each with its own security model. Because the two use cases have very different load characteristics and security implications, running them on separate servers can help to prevent synchronization activity from impacting the performance on end-user systems.