How To
ForgeRock Identity Cloud

How do I migrate Security Question answers into Identity Cloud?

Last updated Jul 13, 2022

The purpose of this article is to provide instructions for migrating security question answers (KBA) from an AM identity repository into ForgeRock Identity Cloud.


Prerequisites

  • A working LDAP connector to the identity repository that contains user answers.
  • A working user mapping between the source system and Identity Cloud.

Overview

Migrating security answers for users into Identity Cloud is done in three steps:

  1. Export the security questions from the source system (AM or IDM).
  2. Import the security questions into Identity Cloud.
  3. Migrate the security question answers.
Note

Manually creating the questions in Identity Cloud will cause a failure in the synchronization of answers. Each question has an ID that must remain consistent between the source and target (Identity Cloud) systems. The only way to ensure this (especially if custom answer IDs have been used in the source system) is to export the questions from the source system and import them into Identity Cloud. Even if the questions in the source system are the same as in Identity Cloud, they may be in a different order (and therefore have different IDs), so you should still export the questions and import them.

Exporting the security questions from the source system

You can export the security questions as follows depending on the source of the questions: AM or IDM.

  1. AM only: Authenticate to the source system. For example:$ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" https://am.example.com:8443/am/json/realms/root/authenticate?authIndexType=service&authIndexValue=adminconsoleserviceExample response:{ "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/am/console", "realm": "/" }
  2. Query the source system for the security questions depending on the source of the questions:
    • AM: $ curl -X GET "https://am.example.com:8443/am/json/selfservice/kba#1.0_read" -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-type: application/json"
    • IDM:   $ curl -X GET "http://localhost:8080/openidm/config/selfservice.kba" -H "accept: application/json" -H "Accept-API-Version: resource=1.0" -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: openidm-admin"

Example response:{  "_id": "1",   "_rev": "1.0",   "questions": {     "1": {       "en": "What is the name of your favourite restaurant?"     },     "2": {       "en": "What was the model of your first car?"     },     "3": {       "en": "What was the name of your childhood pet?"     },     "4": {       "en": "What is your mother's maiden name?"     }   },   "minimumAnswersToDefine": 1,   "minimumAnswersToVerify": 1 }You will need this response when you import the security questions into Identity Cloud; use only the questions, minimumAnswersToDefine and minimumAnswersToVerify sections in the –data-raw section of the import curl command in the following section. 

Importing the security questions into Identity Cloud

  1. Import the questions into Identity Cloud using REST, replacing <tenant-name> with your Identity Cloud tenant name and <access-token> with the access token you obtained when you authenticated to the Identity Cloud REST API. Ensure you add the questions, minimumAnswersToDefine and minimumAnswersToVerify properties (from the response above):$ curl \ --request PUT 'https://<tenant-name>.forgeblocks.com/openidm/config/selfservice.kba' \ --header 'authorization: Bearer <access-token>' \ --header 'Accept-API-Version: resource=1.0' \ --header 'Content-Type: application/json' \ --data-raw '{   "_id": "selfservice.kba",     "kbaPropertyName": "kbaInfo",     "minimumAnswersToDefine": 1,     "minimumAnswersToVerify": 1,     "questions": {         "1": {               "en": "What is the name of your favourite restaurant?"          },         "2": {               "en": "What was the model of your first car?"          },          "3": {               "en": "What was the name of your childhood pet?"          },          "4": {               "en": "What is your mother'\''s maiden name?"          }     } }'
  2. Verify the questions imported correctly:$ curl \ --request GET 'https://<tenant-name>.forgeblocks.com/openidm/config/selfservice.kba' \ --header 'authorization: Bearer <access-token>' \ --header 'Accept-API-Version: resource=1.0' \ --header 'Content-Type: application/json' \

Migrating the security question answers

Once you have imported the questions in, you can migrate the security question answers from the source system to the target Identity Cloud by adding the kbaInfo property to the mapping definition. A transformation script is needed to process multiple question answers correctly.

  1. In the Identity Cloud admin UI, go to Native Consoles > Identity Management > Configure > Mappings.
  2. Edit the mapping for source system to managedAlpha_user (or managedBravo_user if working in the Bravo realm).
  3. Go to Properties tab > Attributes Grid.
  4. Click Add property, select the kbaInfo property and click Add.
  5. Configure the source as follows depending on the source type:
    • For a DS repository source:
      1. Select kbaInfo as the source property.
      2. In the Transformation Script tab, add the following JavaScript transformation script:if (source) {  source.map(kba => JSON.parse(kba)) }
      3. Click Save.
    • For IDM database repository source:
      1. Choose fullobject as the source property.
      2. In the Transformation Script tab, add the following JavaScript transformation script:var obj = JSON.parse(source); obj.kbaInfo;
      3. Click Save.
  6. Reconcile the mapping.

Journeys using the KBA Verification node should now accept the security question answers the users entered in the source system.

See Also

Security questions


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.