Set up IDM
This procedure sets up IDM with an external DS instance as the repository. The DS instance is shared with AM as the identity store. The procedure reflects the listed server settings for installing IDM and DS.
-
Follow the instructions in the IDM documentation to download and install IDM.
-
Edit the /path/to/openidm/resolver/boot.properties file to set the hostname:
openidm.host=openidm.example.com -
Configure the shared IDM repository.
This step assumes that you have set up the identity store, and exported the DS CA certificate from
identities.example.com(as shown in Step 4 of Secure connections).-
Import the DS CA certificate into the IDM truststore:
keytool \ -importcert \ -alias identities-ca-cert \ -file /path/to/identities-ca-cert.pem \ -keystore /path/to/openidm/security/truststore \ -storepass:file /path/to/openidm/security/storepass Owner: CN=Deployment key, O=ForgeRock.com Issuer: CN=Deployment key, O=ForgeRock.com ... Trust this certificate? [no]: yes Certificate was added to keystore -
Replace the default
conf/repo.ds.jsonfile with this repo.ds.json file.Replace the values of
fileBasedTrustManagerFileandfileBasedTrustManagerPasswordFilewith the path to your IDM truststore and truststore password file.Check that the properties under
ldapConnectionFactoriesmatch the DS server that you set up as the identity store.
-
-
It is worth starting IDM at this point, to make sure that it can connect to the external DS repository.
-
Set the
JAVA_HOMEenvironment variable. -
Start IDM, and wait until you see
OpenIDM readyin the output:/path/to/openidm/startup.sh -> OpenIDM version "7.2.0" <build-info> OpenIDM ready
-
-
Update the
userobject in your managed object configuration by making the following changes to yourconf/managed.jsonfile.All changes are made to the object
user>schema>properties:{ "objects": [ { "name": "user", ... "schema": { "properties": { ... } ... } ] }-
Remove encryption from the
passwordproperty. Remove:"encryption" : { "purpose": "idm.password.encryption" }Password encryption is not supported in a shared identity store setup. Instead, the shared identity store supports only hashed passwords, a format that both AM and IDM can use. This differs from Separate identity stores, where AM and IDM do not share the identity store, and so each service can store passwords in different formats.
-
Update the
passwordproperty to ensure that users update their passwords through the self-service APIs, not directly:"userEditable" : false -
Add a
cnproperty to theuserobject:{ "objects": [ { "name": "user", ... "schema": { "properties" : { "_id" : { ... }, "cn": { "title": "Common Name", "description": "Common Name", "type": "string", "viewable": false, "searchable": false, "userEditable": false, "scope": "private", "isPersonal": true, "isVirtual": true, "onStore": { "type": "text/javascript", "source": "object.cn || (object.givenName + ' ' + object.sn)" } }, ... } ... } ] } -
Configure social authentication.
Add an
aliasListproperty to theuserobject:"aliasList": { "title": "User Alias Names List", "description": "List of identity aliases used primarily to record social IdP subjects for this user", "type": "array", "items": { "type": "string", "title": "User Alias Names Items" }, "viewable": false, "searchable": false, "userEditable": true, "returnByDefault": false, "isVirtual": false },
-
-
Change the authentication mechanism to
rsFilteronly:-
Replace the default
conf/authentication.jsonfile with this authentication.json file. -
Check that the
clientSecretmatches theClient secretthat you set for theidm-resource-serverclient in AM (see Configure OAuth Clients). -
Check that the
rsFilter>subjectMapping>propertyMapping>subproperty is correctly configured.The
authentication.jsonfile aligns with the default AM configuration for subject claim uniqueness. AM refers to the subject by its unique identifier, and so IDM does, too.If AM has its advanced server property,
org.forgerock.security.oauth2.enforce.sub.claim.uniqueness, set tofalse, for example, because you upgraded from a previous release of AM, use this property mapping instead:"propertyMapping": { "sub": "userName" }AM refers to the subject by its username in this case. For details, see the reference for the setting in the AM documentation.
For more information about authenticating using the
rsFilter, see Authenticate through AM in the IDM documentation. -
-
Edit the IDM admin UI configuration so that you can still authenticate through the IDM admin UI:
-
In your
/path/to/openidm/conf/ui-configuration.jsonfile, insert aplatformSettingsobject into theconfigurationobject:{ "configuration" : { ... "platformSettings" : { "adminOauthClient" : "idm-admin-ui", "adminOauthClientScopes" : "fr:idm:*", "amUrl" : "http://am.example.com:8081/am", "loginUrl" : "" } } }This object tells the IDM admin UI that it is operating in "platform mode" (that is, as an OAuth 2.0 client of AM).
-
In your
conf/ui.context-admin.jsonfile, check thatX-Frame-Optionsis set toSAMEORIGIN:Sample ui.context-admin.json
{ "enabled" : true, "cacheEnabled": true, "urlContextRoot" : "/admin", "defaultDir" : "&{idm.install.dir}/ui/admin/default", "extensionDir" : "&{idm.install.dir}/ui/admin/extension", "responseHeaders" : { "X-Frame-Options" : "SAMEORIGIN" } }
-
-
Configure the CORS servlet filter.
Replace the default
conf/servletfilter-cors.jsonfile with this servletfilter-cors.json file. -
If you have not already started IDM, start it now, and test that you can access the IDM admin UI at http://openidm.example.com:8080/admin.
When you log in to the IDM admin UI, use the default AM administrative user (
amAdmin), and notopenidm-admin. -
If you want to use the
PlatformForgottenUsernameorPlatformResetPasswordtrees, configure outbound email.After you have installed the Platform UI, you can configure email through the UI at
http://openidm.example.com:8080/admin.
IDM is now configured for this deployment. Move on to setting up the Platform UIs.