Getting started
Guide to installing and evaluating ForgeRock® Identity Management software. This software offers flexible services for automating management of the identity life cycle.
This guide shows you how to install and get started with ForgeRock Identity Management software. As you read this guide, you will learn how ForgeRock Identity Management software reconciles customer identity data to ensure accurate information across disparate resources within an organization.
ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, refer to https://www.forgerock.com.
The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.
About IDM
Whenever you need access to important information, administrators need to know who you are. They need to know your identity, which may be distributed in multiple accounts.
As a user, you might have several accounts even within your own company, for functions such as:
-
Email
-
Human Resources
-
Payroll
-
Engineering, Support, Accounting, and other functions
Each of these accounts may be stored in different resources, such as DS, Active Directory, OpenLDAP, and more. Keeping track of user identities in each of these resources (also known as data stores) can get complex. IDM simplifies the process, as it reconciles differences between resources.
With situational policies, IDM can handle discrepancies such as a missing or updated address for a specific user. The server includes default but configurable policies to handle such conditions. In this way, consistency and predictability is ensured, in an otherwise chaotic resource environment.
IDM can make it easier to track user identities across these resources. IDM has a highly scalable, modular, readily deployable architecture that can help you manage workflows and user information.
What Can You Do With IDM?
This software allows you to simplify the management of identity, as it can help you synchronize data across multiple resources. Each organization can maintain control of accounts within their respective domains.
IDM works equally well with user, group, and device identities.
You can also configure workflows to help users manage how they sign up for accounts, as part of how IDM manages the life cycle of users and their accounts.
You can manage employee identities as they move from job to job. You will make their lives easier as their user accounts can be registered on different systems automatically. Later, IDM can increase productivity when it reconciles information from different accounts, saving users the hassle of entering the same information on different systems.
ForgeRock Identity Management Integrations
Now that you have seen how IDM can help you manage users, review the features that IDM can bring to your organization:
-
Web-Based Administrative User Interface
Configure IDM with the Web-Based Administrative User Interface. You can configure many major server components without ever touching a text configuration file.
-
Self-Service Functionality
User self-service features can streamline onboarding, account certification, new user registration, username recovery, and password reset. The self-service features are built upon a BPMN 2.0-compliant workflow engine.
-
Registration With Social Identities
Users can now register new accounts using information from social identity providers, including Google, Facebook, and LinkedIn. If you configure access through more than one social identity provider, users can select and manage the providers they use. You can also synchronize user information with marketing databases.
For more information, refer to Social registration.
-
Role-Based Provisioning
Create and manage users based on attributes such as organizational need, job function, and geographic location.
-
Backend Flexibility
Choose the desired backend database for your deployment. IDM supports MySQL, Microsoft SQL Server, Oracle Database, IBM DB2, and PostgreSQL. For the supported versions of each database, refer to Before you install.
-
Password Management
Set up fine-grained control of passwords to ensure consistent password policies across all applications and data stores. Supports separate passwords per external resource.
-
Logging, Auditing, and Reporting
IDM logs all activity, internally and within connected systems. With such logs, you can track information for access, activity, authentication, configuration, reconciliation, and synchronization.
-
Access to External Resources
IDM can access a generic scripted connector that allows you to set up communications with many external data stores.
IDM demo : Getting started
In this guide, you will learn how IDM reconciles user data between two data stores. We will look at a department that is adding a third engineer, Jane Sanchez.
Your Human Resources department has updated their data store with Jane Sanchez’s information. You want to use IDM to update the internal Engineering data store, but first, you have to start IDM.
While the reconciliation demonstrated in this guide uses two simplified data files, you can set up the same operations at an enterprise level on a variety of resources.
Return to the situation described earlier, where you have Jane Sanchez joining the engineering department. The following illustration depicts what must be done to reconcile the differences.
Set up the server
What You Need Before Starting
-
For an up-to-date list of requirements, refer to Before you install.
Download and start the server
This procedure assumes that you are starting IDM as a regular (not administrative) user named user
.
-
Download IDM from Backstage. Releases on Backstage are thoroughly validated for ForgeRock customers who run the software in production deployments, and for those who want to try or test a given release.
-
Extract the contents of the IDM binary file to your user’s
Downloads
directory. The process should unpack the contents to theDownloads/openidm
subdirectory. -
Navigate to the
Downloads/openidm
subdirectory:-
In Microsoft Windows, use Windows Explorer to navigate to the
C:\Users\user\Downloads\openidm
directory.Double-click the
getting-started(.bat)
file. Do not select thegetting-started.sh
file, as that is intended for use on UNIX/Linux systems. -
In Linux/UNIX, open a command-line interface and run the following command:
/home/user/Downloads/openidm/getting-started.sh
-
-
The following message should display:
-> OpenIDM ready
When the server is ready, you can administer it from a web browser. To do so, navigate to http://localhost:8080/admin
or https://localhost:8443/admin
. If you have installed the server on a remote system, substitute that hostname or IP.
In production, you should connect to IDM via a secure port and import a CA-signed certificate into the truststore, as discussed in the Security. Until you install that certificate, a warning displays in your browser the first time you access IDM over a secure port. |
The default username and password for the IDM Administrator is openidm-admin
and openidm-admin
.
When you log in to IDM at a URL with the /admin
endpoint, you are logging into the Administrative User Interface, also known as the admin UI.
The default password for the administrative user, |
Demo data files
In a production deployment, you can have any number of external data stores, such as Active Directory and ForgeRock Directory Services (DS). For illustration purposes, this guide uses two simple static files as external data stores:
-
hr.csv
represents the Human Resources data store. It is in CSV format, commonly used to share data between spreadsheet applications. -
engineering.csv
represents the Engineering data store. It is also in CSV format.
You can find these files in the binary package that you downloaded earlier, in the following subdirectory: openidm/samples/getting-started/data
.
Reconcile data stores
A central feature of IDM is reconciliation — comparing the contents of two data stores and deciding what to do, depending on the differences.
This scenario is based on two data files:
-
hr.csv
, which represents the Human Resources data store -
engineering.csv
, which represents the Engineering data store
Reconciliation modifies the Engineering data store by adding the newly hired Jane Sanchez. As suggested by the following illustration, it will also address detailed differences between Jane’s Human Resources account and the Engineering data store.
This sample includes configuration files that map detailed information from the Human Resources data store to the Engineering data store. For example, the configuration maps the firstName
entry in Human Resources to the firstname
entry in Engineering.
Mapping between data stores may require additional configuration. You should find two |
In the admin UI, you can review how the different categories are reconciled for user Jane Sanchez. Log in to the admin UI at https://localhost:8443/admin
. The default username is openidm-admin
and default password is openidm-admin
.
Click Configure > Mappings > HumanResources_Engineering
> Edit.
In the Sample source preview text box, enter Sanchez
. A selectable drop-down entry for Jane Sanchez should display. When you select Jane Sanchez’s entry, two tables of attributes should display. One table displays how the data is modeled in the source data store. The other table displays how the data is modeled in the target data store. Refer to the following screenshot for an example:
Scroll back up the same page. Click Reconcile.
When you reconcile the two data stores, IDM makes the change to the Engineering data store.
The mapping for this example is configured in the sync.json
file, in the /path/to/openidm/samples/getting-started/conf
directory.
Reconcile after an update
Now that you have used IDM to reconcile two data stores, try something else. Assume the Engineering organization wants to overwrite all user telephone numbers in its employee data store with one central telephone number.
For this purpose, you can set up a default telephone number for the next reconciliation:
-
Click Configure > Mappings >
HumanResources_Engineering
> Edit. -
On the HumanResources_Engineering mapping page, click the Properties tab, and expand the Attributes grid.
-
In the TARGET column, select the row that contains the
telephoneNumber
attribute. -
Click the Default Values tab, and type a default number:
Figure 4. Set a new default telephone number
When you click Update, and Save, IDM changes the mapping in the sync.json
file. The next time you run a reconciliation from Human Resources to Engineering, the default telephone number will be included for all employees in the Engineering group.
Stop and remove the server
Follow these steps to stop and remove IDM.
-
To stop IDM, return to the console window where you saw the following message:
-> OpenIDM ready
Press Return, and type the following command:
-> shutdown
-
IDM is self-contained. After you shut down the server, you can choose to delete the files in the
/path/to/openidm
directory. There are no artifacts in system registries or elsewhere.
We hope that you want to continue exploring IDM.
To do so, review the rest of the IDM documentation.
Where to go from here
IDM can do much more than reconcile data between two different sources. Read about the key product features in these sections:
Reconciliation
IDM supports reconciliation between two data stores, as a source and a target.
In identity management, reconciliation compares the contents of objects in different data stores, and makes decisions based on configurable policies.
For example, if you have an application that maintains its own user store, IDM can ensure your canonical directory attributes are kept up to date by reconciling their values as they are changed.
For more information, refer to Synchronization overview.
Authentication Modules
IDM provides several authentication modules to help you protect your systems. For more information, refer to Authentication and session modules.
Password Management
Administrative users can manage user passwords from the admin UI, and users can reset their own passwords in the End User UI.
To access the End User UI as an administrative user, log in to the admin UI, and select Self-Service from the drop-down menu in the top right corner:
In the End User UI, click Edit Your Profile, and click Reset next to the Password field. You can change your password, subject to the following minimum number of characters:
-
Length ≥ 8
-
Capital letters ≥ 1
-
Numbers ≥ 1
IDM supports robust password policies. You can modify policies such as the following:
-
Elements that should not be a part of a password, such as a family name
-
Password expiration dates
-
Password histories, to prevent password reuse
For more information, including details on configuring these policies, refer to Passwords.
User Role Management
Some users need accounts on multiple systems. For example, insurance agents may also have insurance policies with the company that they work for. In that situation, the insurance agent is also a customer of the company.
Alternatively, a salesperson may also test customer engineering scenarios. That salesperson may also need access to engineering systems.
Each of these user scenarios is known as a role. You can set up a consolidated set of attributes associated with each role. To do so, you would configure custom roles to assign to selected users. For example, you may assign both insured and agent roles to an agent, while assigning the insured role to all customers.
In a similar fashion, you can assign both sales and engineering roles to the sales engineer.
You can then synchronize users with those roles into appropriate data stores.
For more information, refer to Managed Roles. For a sample of how you can configure external roles, refer to Provision users with roles.
Business Processes and Workflows
A business process begins with an objective and includes a well-defined sequence of tasks to meet that objective. IDM allows you to configure many of these tasks as self-service workflows, such as self-registration, new user onboarding, and account certification.
You can also automate many of these tasks as a workflow.
After you configure the right workflows, a newly hired engineer can log in to IDM and request access to manufacturing information.
That request is sent to the appropriate manager for approval. After it is approved, IDM provisions the new engineer with access to manufacturing.
IDM supports workflow-driven provisioning activities, based on the embedded Flowable Process Engine, which complies with the Business Process Model and Notation 2.0 (BPMN 2.0) standard.
Remote Data Stores
IDM can connect to a substantial variety of user and device data stores, on premise and in the cloud. A number of specific connectors are provided, allowing you to connect to those dedicated data stores. In addition, you can connect to many more data stores using a scripted connector framework.
Connectors are provided for a number of external resources, including:
-
Google Web Applications (refer to Google Apps connector).
-
Salesforce (refer to Salesforce connector).
-
Any LDAPv3-compliant directory, including DS and Active Directory (refer to LDAP connector).
-
CSV Files (refer to CSV file connector).
-
Database Tables (refer to Database table connector).
For a full list, refer to Supported connectors.
If the resource that you need is not on the list, you should be able to use one of the scripted connectors to connect to that resource:
-
For connectors associated with Microsoft Windows, IDM includes a PowerShell Connector Toolkit that you can use to provision a variety of Microsoft services, including but not limited to Active Directory, SQL Server, Microsoft Exchange, SharePoint, Azure Active Directory, and Office 365. For more information, refer to Powershell connector. IDM includes a sample PowerShell Connector configuration, described in Connect to Active Directory with the PowerShell connector.
-
For other external resources, IDM includes a Groovy Connector Toolkit that allows you to run Groovy scripts to interact with any external resource. For more information, refer to Groovy Connector Toolkit.
For sample implementations of the scripted Groovy connector, refer to Connect to DS with ScriptedREST.
Additional Samples
IDM is a lightweight and highly customizable identity management product.
The documentation includes a number of additional use cases. Most of these are known as Samples, and are described in Samples provided with IDM.
These samples include step-by-step instructions on how you can connect to different data stores, customize product behavior using JavaScript and Groovy, and administer IDM with ForgeRock’s common REST API commands.