IDM 7.3.1

UMA, trusted devices, and privacy

In the following sections, you will refer to AM documentation to set up User-Managed Access (UMA), Trusted Devices, and Privacy for your end users. The section requires IDM authentication with AM bearer tokens and the rsFilter authentication module. For more information, refer to Authenticate through AM.

If you want to configure both UMA and Trusted Devices in AM, configure these features in the following order, as described in the sections that follow:

  1. Set up UMA

  2. Use AM to configure UMA-based resources

  3. Configure Trusted Devices

If you have to reconfigure UMA at a later date, you’ll have to first disable Trusted Devices. You can enable Trusted Devices, once again, afterwards.

User Managed Access in IDM

When you integrate IDM with ForgeRock Access Management (AM) you can take advantage of AM’s abilities to work with User-Managed Access (UMA) workflows. AM and IDM use a common installation of ForgeRock Directory Services (DS) to store user data.

When you have configured IDM to authenticate through AM bearer tokens, you can configure AM to work with UMA. For more information, refer to the AM User-Managed Access (UMA) Guide. From that guide, you need to know how to:

  • Set up AM as an authorization server.

  • Register resource sets and client agents in AM.

  • Help users manage access to their protected resources through AM.

Pay close attention to the AM documentation on configuring an OAuth 2.0 UMA Client and UMA Server. You may need to add specific grant types to each OAuth 2.0 application.

If you follow AM documentation to set up UMA, you’ll refer to instructions on setting up users as resource owners and requesting parties. If you set up users in AM, be sure to include the following information for each user:

  • First Name

  • Last Name

  • Email Address

AM writes this information to the common DS user data store. You can then synchronize these users to the IDM Managed User data store, with a command such as:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"

After your users have shared UMA resources from the AM Self-Service UI, they can view what they’ve done and shared in the IDM End User UI, by selecting the Sharing icon ().

Configuring Trusted Devices on IDM

You can configure Trusted Devices through AM, using the following sections of the AM Authentication and Single Sign-On Guide: Configuring Authentication Chains and Device ID (Match) Authentication Module. You can use the techniques described in these sections to set up different authentication chains for administrators and regular users.

You can create an AM authentication chain with the following modules and criteria:

AM Authentication Chain Modules
Module Criteria

Data Store

Requisite

Device Id (Match)

Sufficient

Device Id (Save)

Required

This is different from the authentication chain described in the following section of the AM Authentication and Single Sign-On Guide: Device ID (Match) Authentication Module, as it does not include the HOTP Authentication Module.

When trusted devices are enabled, users are presented with a prompt on a screen with the following question "Add to Trusted Devices?". If the user selects Yes, that user is prompted for the name of the Trusted Device.

In default configurations, trusted devices are not saved for the AM amadmin account. You can set up different AM administrative users as described in Delegate privileges in the AM Security Guide.

You can set up different authentication chains for regular and administrative users, as described in the AM Authentication and Single Sign-On Guide.