How to Integrate OpenAM 7.4.0 with OpenIDM 7.4.1 for User Authentication? Encountering Connection Error

Hello,

I am currently working on integrating OpenAM 7.4.0 with OpenIDM 7.4.1 to ensure that all users registered in OpenIDM are available in OpenAM and can be authenticated directly through OpenAM.

My Setup:

1. OpenIDM Configuration:

• OpenIDM is installed and running on localhost at port 9000.
• Managed users are configured in OpenIDM.

2. OpenAM Configuration:

• OpenAM is installed and accessible.
• During OpenAM setup, I tried configuring the data store to connect to OpenIDM, but it failed with a connection error.

Configuration Attempt:

OpenAM User Data Store Configuration:

• User Data Store Type: ForgeRock DS for IAM
• SSL/TLS Enabled: Unchecked
• Directory Name: localhost
• Port: 9000
• Root Suffix: dc=openam,dc=forgerock,dc=org
• Login ID: cn=Directory Manager
• Password: [Your OpenIDM Admin Password]

Error: “Cannot connect to Directory Server, the error was: Connect Error”

Screenshot of the Error:

Steps Taken to Troubleshoot:

1. Verified OpenIDM Status:

• OpenIDM is running and accessible via the admin console and REST API.

2. Checked Network Connectivity:

• From the OpenAM server, confirmed connectivity to OpenIDM on localhost:9000 using telnet and nc.

3. Verified Credentials:

• Confirmed that the Login ID and Password are correct and have the necessary permissions.

4. Checked Root Suffix:

• Verified that the Root Suffix (dc=openam,dc=forgerock,dc=org) is correctly configured in OpenIDM.

I have attached the screenshot of error.

Screenshot from 2024-06-14 22-23-321832×954 94.1 KB

Questions:

1. Is there a specific type or configuration required in OpenAM to connect to OpenIDM as an identity store?

• During identity store configuration in OpenAM, there was no option for OpenIDM. How should I configure this?

2. Detailed Steps to Configure OpenAM with OpenIDM:

• Could someone provide a step-by-step guide on how to set up OpenAM to use OpenIDM as an identity store?
• Are there specific attributes or settings in Generic LDAPv3 that need to be configured to work with OpenIDM?

3. Authentication Module Configuration:

• Is there a need to set up a specific authentication module in OpenAM to authenticate users from OpenIDM?
• If yes, what are the detailed steps to configure this?

Any detailed guidance, documentation links, or examples would be greatly appreciated.

Thank you in advance for your help!

Best regards,
Anees

Hi @anees.am

There is a lot to address here. First and foremost, IDM is not an identity store, at least not in the manner in which AM is looking for. AM is looking for an LDAP directory for its identity store, and IDM itself is not an LDAP directory - that would be DS if we want to talk about ForgeRock offerings. IDM can be configured to use DS as a data store, and if you deploy the ForgeRock Identity Platform as described in the documentation at Docs - ForgeRock Backstage you will see a great approach for this.

The configuration you have shared seems to imply that you are attempting to use the IDM UI (running on port 9000) as the identity store. This is not an LDAP directory, it is a web application hosted in an embedded Jetty instance. You simply cannot configure AM in this manner.

As I commented on in a previous topic you created, I don’t quite understand what you are trying to accomplish here. This deployment approach doesn’t make much sense, and to be quite honest I don’t think it will lead to success. If you could share your goals with us perhaps we could offer some more tailored guidance to you. My gut is telling me that you would be best suited in looking at the Identity Platform documentation I shared earlier, however without specific details it’s hard to be certain.

I highly recommend looking into some of the self-managed on-demand training that ForgeRock offers, especially starting with the Essentials and building from there. Please take a look at Training - ForgeRock Backstage and consider going through the Essentials courses at a minimum.

I hope this helps!

Hello mwtech,

Thanks for your reply and guidance.

I am trying to create a user in OpenAM without enabling user self-registration. I am able to do this in OpenIDM, and thats why I attempted to authenticate the user in OpenIDM from OpenAM.

I used the following steps and curl commands to create a user in OpenAM

Obtain an OAuth 2.0 access token directly using admin credentials

curl --request POST \
  --url http://localhost:8080/openam/oauth2/realms/root/access_token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=password&username=admin&password=adminpassword&scope=openid&client_id=yourClientId&client_secret=yourClientSecret'

Use the Access Token to Create a User

curl --request POST \
  --url http://localhost:8080/openam/json/realms/root/realms/myrealm/users \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...' \
  --data '{
    "username": "newuser",
    "userPassword": "newpassword",
    "mail": "newuser@example.com",
    "givenName": "New",
    "sn": "User"
  }'

However, I am encountering the following error:
{"code":401,"reason":"Unauthorized","message":"Access Denied"}

Query no.1
Could you please advise on how I can create a user in OpenAM using the REST API without enabling user self-registration?

Query no.2
Can I use MySQL database instead of the data store approach (I meant to ask whether openam and openidm can use same mySQL database, so that openam can access all users of openidm)? Please share your views on that also.

Regards,
Anees

Hi @anees.am

I really need to ask you to read the documentation for these products, and ideally consume some of the training content. This would all be much easier for both of us if you took this advice, as you’d have a much clearer understanding of what these products do and how they can (and cannot) interact with each other. This would prevent you from following these pathways that seem destined for failure.

To answer your questions:
1 - Depending on how you configure AM you could accomplish user creation via an authentication journey. This would be simplified if you look at the previously recommended Identity Platform deployment approach.
2 - Easily? No. You could, however, pursue the use of a virtual directory solution. I can’t say I’ve ever seen anyone try to use a VD overtop of the IDM database, and I certainly would never recommend it. A brief read through of the AM documentation (Requirements :: ForgeRock Access Management) would show you that MySQL is not a supported identity repository.

I hope you take my advice into consideration and read the documentation of these products and consume the training content.

Mike

@anees.am Adding to @mwtech excellent answer, you can do absolutely everything but you can’t escape consequences. Adopting an anti-pattern (that is a design pattern that is not explicitly documented, supported, recommended, tested, and performance proofed) will definitely end up into support headaches and you will pay dearly for the shortcut. Accessing data stores at the back door (e.g skipping IDM/AM REST APIs) is one of these things. And remember that:

• IDM is the place where identities should be created/managed (hence the name “Identity Management”)
• AM should be concerned only about authenticating users and provide authorisation (hence the name “Access Management”)
• Even when it comes with user registration from an AM Journey, AM (via the Identity Management nodes) delegate user creation/update to IDM.

Hello @mwtech and @patrick_diligent ,

I am working on setting up Single Sign-On (SSO) using the following components:

OpenAM: Authentication Manager
OpenIDM: Identity Manager
OpenDJ: LDAP server

Use Case

My goal is to integrate these components to achieve a seamless SSO experience. Here are the specific steps and requirements:

Run OpenDJ, OpenAM, OpenIDM:

    Each component runs in its own Docker container.

Configure OpenDJ as a common datastore for OpenAM and OpenIDM:

    This configuration allows both OpenAM and OpenIDM to use OpenDJ for storing and managing user data.

Make proper settings for security:
    Ensure secure communication and proper access control between components.

Disable user self-registration:
    Users should not be able to self-register. All user management will be handled through the API.

Manage users using the API of OpenIDM:
    User creation, deletion, and updates are managed through OpenIDM's API.

Authenticate users for applications using OpenAM:
    OpenAM handles the authentication requests from various applications.

Sample Dockerfiles

Here are the Dockerfiles I am using:
Dockerfile for OpenAM

FROM openidentityplatform/openam
EXPOSE 8080
VOLUME /opt/openam

Dockerfile for OpenIDM

FROM openidentityplatform/openidm
EXPOSE 8080
VOLUME /opt/openam
#. Map this 8080 to 8081 port on run

Dockerfile for OpenDJ

FROM openidentityplatform/opendj
EXPOSE 1389 4444
VOLUME /opt/opendj

Current Progress

OpenDJ Configuration:
Installed and configured OpenDJ.
Successfully set up OpenAM to use OpenDJ as a datastore. Identities created in OpenAM are available in OpenDJ.

OpenIDM Configuration Issue:
When configuring OpenIDM to use OpenDJ as the datastore, I encountered an error while adding the LDAP connector.

Error Encountered

When trying to add the LDAP connector in OpenIDM, I receive the following error:

Error Connector not found: ConnectorKey(bundleName=org.forgerock.openicf.connectors.ldap-connector bundleVersion=[1.5.0.0,1.6.0.0) connectorName=org.identityconnectors.ldap.LdapConnector)

Request for Assistance

I would appreciate any help in resolving this issue. Specifically, I need guidance on:

Verifying that I have the correct LDAP connector version installed.
Ensuring that the configuration settings in OpenIDM correctly reference the LDAP connector.
Any additional steps or troubleshooting tips to resolve the connector not found error.

Attached screenshot of my configuration for reference.

Screenshot 2024-06-23 at 20-45-23 Identity Management1850×1949 241 KB

Thank you in advance for your assistance.

Best regards,
Anees

Greetings Anees,

Everyone else has piped in so I am embarrassed I haven’t yet ;-)

In fact, the error in your configuration is precisely as the error message implies.
For trusted LDAPS connections, let alone mutual TLS connections, the alternate servers certificate needs to be installed in the client server’s truststore. Be sure to include an alias reflecting the resolvable name of the LDAP server.
Cheers

Just wondering what is the usecase in configuring an LDAP connector to the datastore since you’re deploying the platform with a shared datastore? e.g both AM and IDM are accessing the same identity branch, so there is no no need to sync identities?

Hello @patrick_diligent,

I just wanted to deploy AM and IDM to use a shared datastore. For the AM, I could make it done using the UI configuration while setting up the openAM. The openAM is using openDJ as datastore now.

But I couldn’t make the same for openIDM. I just wanted to make the openIDM to use the same openDJ which the openAM is using.

I was configuring the LDAP connector in openIDM to acheieve the same. If that is not the correct way, Could you please let me know the correct way to deploy AM and IDM to use shared openDJ datatore.

One more quick question,
Can I use REST APIs to create user in openDJ?

Thanks and Regards,
Anees

Good morning Anees,

Patrick may have called it a day already.
From my vantage there seems to be a lack of a clear architectural solution embracing well thought out use cases.
The short answer to your question is ‘yes’. However now I am doubly concerned:

1. Using IdM, which has RESTful interfaces for all user provisioning needs
2. Wanting to augment 1 with user provisioning to DS directly, via RESTful interfaces
3. 2. may cause a need for “reconciliation processes”
4. And not entirely clear of your plan of hosting of data in the DS. Data destined to the DS can be classified as follows,
   a. AM configuration data, not to be merged.
   b. IdM configuration data, not to be merged.
   c. AM user data
   d. IdM user data
   e. c & d can be merged; however, this is not a simple ldap merging of data, it requires a particular set of schema changes from the classic approach.
   And so, does such ratified solution architecture exist.

@anees.am your case is easily addressed in the official documentation.

1. Diagram about the final architecture: Choose your sample :: ForgeRock Identity Platform
2. How this works: Choose your sample :: ForgeRock Identity Platform
3. Configuring the IDM repo: Set up IDM :: ForgeRock Identity Platform

And yes, you can access DS with REST: HTTP access :: PingDS

Dear @patrick_diligent,

Thanks a lot for your valuable reply.

Based on your reply, I started working on setting up a shared identity store with OpenAM, OpenIDM, and OpenDJ to achieve SSO functionality. While I have successfully established connectivity between OpenIDM and OpenDJ, I am encountering an issue where OpenAM fails to connect to OpenDJ.

Setup Details:

1. Components:

   • OpenAM (Authentication Manager)
   • OpenIDM (Identity Manager)
   • OpenDJ (LDAP server)

2. Objective:

   • Configure OpenDJ as the common datastore for both OpenAM and OpenIDM.
   • Ensure proper security settings.
   • Disable user self-registration.
   • Manage users using the OpenIDM API.
   • Authenticate users for applications using OpenAM.

Configuration Steps:

1. OpenDJ Configuration:

   • Created deployment ID using dskeymgr.
   • Set up DS with necessary profiles and passwords.
   • Started DS and exported the CA certificate.
   • Encountered an issue with dskeymgr missing in the OpenDJ Docker image, resolved by using the latest DS version.

2. OpenIDM Configuration:

   • Updated boot.properties with openidm.host.
   • Imported the OpenDJ CA certificate into OpenIDM.

3. OpenAM Configuration:

   • Installed Tomcat and deployed the openam.war file.
   • Accessed the web UI and followed the steps for configuration.

Status:

• OpenIDM is successfully connected to OpenDJ.
  • Verified by creating and listing identities in OpenDJ using ldapsearch.

Issue:
Despite successful IDM and DJ connectivity, OpenAM fails to connect to OpenDJ. The error details are captured in the screenshot attached.

Screenshot:

image1850×968 70.2 KB

Query:
I would appreciate any insights or suggestions on resolving the connectivity issue between OpenAM and OpenDJ. Specifically:

• Are there any additional configurations required for OpenAM to connect to OpenDJ that might have been missed?

• What would be this encryption key in the below screenshot? I am getting an auto generated value in that field. Is that okay or should I replace it with somthing from OpenDJ?
  Since I cannot add more than one screenshot in a single post, I will attach it as another reply

• Could there be any specific permissions or settings in OpenDJ that need adjustment for OpenAM?

• Any troubleshooting steps or logs that could help diagnose the issue further?

Thank you in advance for your support!

Dear @patrick_diligent ,

Here is the screenshot in which I am having doubt regarding the encryption key

image1850×968 108 KB

Thanks in advance
Anees