ForgeRock Identity Platform 7.2

Deployment overview

These instructions show two sample deployments:

Separate identity stores

This deployment has an external DS instance configured as the AM configuration store, and a second external DS instance configured as the AM identity store. The IDM repository is an external JDBC database. The sample was tested with MySQL. The deployment uses an LDAP connector to synchronize the identities between IDM and AM:


Shared Identity Store

This deployment has an external DS instance configured as the AM configuration store. The AM and IDM servers share an external DS instance as the identity store, and no synchronization configuration is required:


In both deployments, the Platform UIs can run in separate Docker containers. If you want to run the Platform UIs in containers, get Docker before you start.

Component interaction

A platform configuration relies on multiple components working together. The following image shows how the AM OAuth 2 clients interact with the IDM resource server filter (rsFilter) to grant access through the Platform UIs:

  1. The Platform UIs send a request to the AM Authorization Endpoint.

  2. If the end user is authenticated, the user agent is redirected back to the UI, according to the Redirection URI request parameter.

  3. If the end user is not authenticated, the AM Authorization Endpoint redirects the user agent to the Platform Login UI.

  4. After successful authentication, the Platform Login UI redirects the user agent back to the AM Authorization Endpoint, according to the GoTo request parameter.

  • Do not use the IDM stand-alone end-user UI if you are deploying AM and IDM as a platform. This UI is delivered with IDM under ui/enduser . It is not the same as the platform-enduser UI and will not work in a platform deployment.

  • By default, the IDM admin UI only supports users from the AM root realm. If you need to support users from other realms, adjust the /oauth2/ references in the /path/to/openidm/ui/admin/default/index.html file:

    commonSettings.authorizationEndpoint = calculatedAMUriLink.href + '/oauth2/authorize';
        clientId: commonSettings.clientId,
        authorizationEndpoint: commonSettings.authorizationEndpoint,
        tokenEndpoint: calculatedAMUriLink.href + '/oauth2/access_token',
        revocationEndpoint: calculatedAMUriLink.href + '/oauth2/token/revoke',
        endSessionEndpoint: calculatedAMUriLink.href + '/oauth2/connect/endSession',

    For example, if your realm is named alpha, replace /oauth2/ with /oauth2/realms/root/realms/alpha/.

Server settings

These instructions assume that all servers are deployed on their own hosts, with the following server settings. Adjust the settings to match your own deployment.

To deploy the entire platform on a single computer, the recommended alternative is to use the ForgeOps Cloud Developer’s Kit (CDK) on Minikube.

If you nevertheless choose to demonstrate these deployments on your computer, add aliases for the fully qualified domain names used for AM, IDM and platform UIs to your /etc/hosts file:

Also, use a single DS server with all applicable DS setup profiles for your deployment. You can use localhost as the domain for the DS server for demonstration purposes. Adapt the instructions to configure AM and IDM accordingly.

  • AM host:

  • AM port: 8081

  • External DS configuration store host:

  • External DS configuration store ports:

    adminConnectorPort 4444
    ldapPort 1389
    ldapsPort 1636

  • External DS identity store host:

    These settings apply to both the separate and shared DS identity stores.

  • External DS identity store ports:

    adminConnectorPort 4444
    ldapPort 1389
    ldapsPort 1636

  • IDM host:

  • IDM ports: HTTP 8080, HTTPS 8443

  • Platform Admin UI:

  • Platform Login UI:

  • Platform End User UI:

Copyright © 2010-2024 ForgeRock, all rights reserved.