Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Copyright © 2015 ForgeRock, all rights reserved. 1
Extend The Power of
The ForgeRock Identity Platform
Through Scripting
J...
Copyright © 2015 ForgeRock, all rights reserved. 2
Fastest-growing Open Source Identity
Security Software company in the w...
Copyright © 2015 ForgeRock, all rights reserved. 3
Extensible Software
“As companies get serious about digital transformat...
Copyright © 2015 ForgeRock, all rights reserved. 4
The Platform
Copyright © 2015 ForgeRock, all rights reserved. 5
The ForgeRock Identity Platform
(Identity Management) (Access Managemen...
Copyright © 2015 ForgeRock, all rights reserved. 6
Unified Platform
Web Services
Security
Session
Management
Synchronizati...
Copyright © 2015 ForgeRock, all rights reserved. 7
Deployment & Config
Copyright © 2015 ForgeRock, all rights reserved. 8
Deployment & Config
#!/bin/sh
URL="http://openam.example.com:8080”
AM="...
Copyright © 2015 ForgeRock, all rights reserved. 9
Deployment & Config
curl --request POST --header "iplanetDirectoryPro: ...
Copyright © 2015 ForgeRock, all rights reserved. 10
Scripting in OpenIDM
Copyright © 2015 ForgeRock, all rights reserved. 11
Scripted Connectors
•Scripted Groovy Connector Implementations
–Script...
Copyright © 2015 ForgeRock, all rights reserved. 12
OpenIDM Services
openidm.create("managed/user", bjensen, map);
openidm...
Copyright © 2015 ForgeRock, all rights reserved. 13
OpenIDM Services
openidm.encrypt(value, cipher, alias);
openidm.decryp...
Copyright © 2015 ForgeRock, all rights reserved. 14
Where can scripts be triggered?
•Scripts in Mappings (conf/sync.json)
...
Copyright © 2015 ForgeRock, all rights reserved. 15
Where can scripts be triggered?
• Scripts called in the router configu...
Copyright © 2015 ForgeRock, all rights reserved. 16
Scripting in OpenAM
http://openam.forgerock.org/doc/bootstrap/dev-guid...
Copyright © 2015 ForgeRock, all rights reserved. 17
Overview
• Script Design and Workflow in OpenAM
• Device Registration ...
Copyright © 2015 ForgeRock, all rights reserved. 18
Scripting Design –
The Client Side Script
•Authentication modules can ...
Copyright © 2015 ForgeRock, all rights reserved. 19
The Client Side Script
Copyright © 2015 ForgeRock, all rights reserved. 20
Scripting Design –
The Server Side Script
•Handles Authentication
•Has...
Copyright © 2015 ForgeRock, all rights reserved. 21
The Server Side Script
Copyright © 2015 ForgeRock, all rights reserved. 22
Device Registration and Authentication in
OpenAM
Copyright © 2015 ForgeRock, all rights reserved. 23
Device Authentication
Copyright © 2015 ForgeRock, all rights reserved. 24
Device Authentication
Copyright © 2015 ForgeRock, all rights reserved. 25
Device Authentication
Copyright © 2015 ForgeRock, all rights reserved. 26
Device Id (Match)
•Predefined scripts in OpenAM:
–Client side script
–...
Copyright © 2015 ForgeRock, all rights reserved. 27
Device Id (Match)
•Checks different criteria using Client Side Script
...
Copyright © 2015 ForgeRock, all rights reserved. 28
Device Id (Save)
•Prompts the user before saving the device profile
–C...
Copyright © 2015 ForgeRock, all rights reserved. 29
Demo – Device Fingerprinting
Copyright © 2015 ForgeRock, all rights reserved. 30
Scripted Authentication in OpenAM
Copyright © 2015 ForgeRock, all rights reserved. 31
Scripted Authentication
Copyright © 2015 ForgeRock, all rights reserved. 32
HTTP Commons Framework
(coming in OpenAM 13)
•org.forgerock.http.proto...
Copyright © 2015 ForgeRock, all rights reserved. 33
Scripting API
•Make REST API calls from the Server Side Script!
–Use t...
Copyright © 2015 ForgeRock, all rights reserved. 34
Scripting API
•Logging
–logger
• error() / message() / warning()
•Acce...
Copyright © 2015 ForgeRock, all rights reserved. 35
Policy Configuration for Demo
Copyright © 2015 ForgeRock, all rights reserved. 36
Scripting Demo
Acquire ssoToken using REST
Evaluate policy for the res...
Copyright © 2015 ForgeRock, all rights reserved. 37
Scripting Demo
Policy decision
Check Policy decision and permit if req...
Copyright © 2015 ForgeRock, all rights reserved. 38
Demo – Scripted Authentication
Copyright © 2015 ForgeRock, all rights reserved. 39
Other Possibilities
•Policy condition scripting
–attach a script as a ...
Copyright © 2015 ForgeRock, all rights reserved. 40
IDENTITY SUMMIT SERIES 2015: EUROPE
5 November
Amsterdam
10 November
D...
Copyright © 2015 ForgeRock, all rights reserved. 41
Thank You!
Questions?
Upcoming SlideShare
Loading in …5
×

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting

1,424 views

Published on

Scripting extends ForgeRock products in a powerful way, both for deployers as well as developers. For OpenAM, deployers can embed the ssoadm command line utility in comprehensive shells scripts for ultra fast deployments and configurations. Developers can use scripts for client-side and server-side authentication, policy conditions, and handling OpenID Connect claims. In OpenIDM, scripting allows you to customize various aspects of OpenIDM functionality, by providing custom logic between source and target mappings, defining correlation rules, filters, triggers, and more.

Webinar Highlights:
Scripting
The ForgeRock Platform
Q&A

Join Anders Askåsen, Senior Technical Product Manager, and Javed Shah, Senior Sales Engineer, as they highlight the concepts and show examples and best practices for scripting with the ForgeRock Identity Platform.

Published in: Software
  • Be the first to comment

Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting

  1. 1. Copyright © 2015 ForgeRock, all rights reserved. 1 Extend The Power of The ForgeRock Identity Platform Through Scripting Javed Shah, Senior Sales Engineer Anders Askåsen, Senior Technical Product Manager October 27th, 2015
  2. 2. Copyright © 2015 ForgeRock, all rights reserved. 2 Fastest-growing Open Source Identity Security Software company in the world Our Investors: Our Origins: ForgeRock • Founded 2010 with high double digit growth every year since inception • Over 300 full time employees • Over 400 customers • Active in over 30 countries • Locations: San Francisco, Vancouver (US), Bristol (UK), London (UK), Grenoble (F), Oslo, Singapore, Düsseldorf (D) Award winning platform driving innovation worldwide • Gold winner of the CEO World awards 2014 • Silver Winner in the 6th Annual Golden Bridge Award 2014 • Silver winner for the Fastest-Growing Company of the Year in 2014 • Best in Biz Awards 2014
  3. 3. Copyright © 2015 ForgeRock, all rights reserved. 3 Extensible Software “As companies get serious about digital transformation, we see investments shifting toward extensible software platforms used to build and manage a differentiated customer experience.” Source (March 2015): http://blogs.forrester.com/michael_yamnitsky/15-03-31-modern_software_platforms_are_in_hypergrowth
  4. 4. Copyright © 2015 ForgeRock, all rights reserved. 4 The Platform
  5. 5. Copyright © 2015 ForgeRock, all rights reserved. 5 The ForgeRock Identity Platform (Identity Management) (Access Management) (Directory Services) (Identity Gateway)
  6. 6. Copyright © 2015 ForgeRock, all rights reserved. 6 Unified Platform Web Services Security Session Management Synchronization Auditing LDAPv3 REST/JSON Replication Access Control Schema Management Caching Auditing Monitoring Groups Password Policy Active Directory Synch Reporting Authentication Authorization Provisioning Password Management Authentication OpenID Connect Federation Entitlements Workflow Engine Reconciliation Password Replay OAuth2 Adaptive Risk Single Sign-on Registration Role Provisioning Message Transformation SAML2 Throttling Scripting CommonRESTAPI CommonUserInterface Single Integrated, Open Platform
  7. 7. Copyright © 2015 ForgeRock, all rights reserved. 7 Deployment & Config
  8. 8. Copyright © 2015 ForgeRock, all rights reserved. 8 Deployment & Config #!/bin/sh URL="http://openam.example.com:8080” AM="${URL}/openam” AUTHN="${AM}/identity/authenticate” TOK=`curl -s -k --request POST --data "username=amadmin&password=cangetinam" $AUTHN | cut -f2 -d=` echo "=> OpenAM Token: ${TOK}" ; echo "" # --data @body.json
  9. 9. Copyright © 2015 ForgeRock, all rights reserved. 9 Deployment & Config curl --request POST --header "iplanetDirectoryPro: ${TOK}” --header "Content-Type: application/json” --data '{"client_id":["mobile"], "realm":["/"], "userpassword":["password"], "com.forgerock.openam.oauth2provider.clientType":["Confidential"], "com.forgerock.openam.oauth2provider.redirectionURIs": ["'"${URL}/oauth2/oauth2.htm"'","'"${URL}/oIDc/openidc.htm"'"], "com.forgerock.openam.oauth2provider.scopes":["cn|Name","mail|Email","openid","profile"], "com.forgerock.openam.oauth2provider.defaultScopes":["cn"], "com.forgerock.openam.oauth2provider.responseTypes":["code","token","id_token","code token","token id_token","code id_token","code token id_token"], "com.forgerock.openam.oauth2provider.idTokenSignedResponseAlg":["HS256"], "com.forgerock.openam.oauth2provider.name":["Test Client"], "com.forgerock.openam.oauth2provider.description":["OIDC 1.0 Client"] }' ${AM}/frrest/oauth2/client/?_action=create
  10. 10. Copyright © 2015 ForgeRock, all rights reserved. 10 Scripting in OpenIDM
  11. 11. Copyright © 2015 ForgeRock, all rights reserved. 11 Scripted Connectors •Scripted Groovy Connector Implementations –Scripted SQL –Scripted REST –Scripted CREST –Scripted Azure •Samples provided! •Microsoft Integration – The Scripted PowerShell Connector •Samples provided illustrating Active Directory
  12. 12. Copyright © 2015 ForgeRock, all rights reserved. 12 OpenIDM Services openidm.create("managed/user", bjensen, map); openidm.patch("managed/user/" + user._id, null, [{"operation" : "replace", "field" : "/password", "value": "Passw0rd"}]); openidm.read("managed/user/"+userId); openidm.update('managed/user/' + source._id, null, user_read); openidm.delete('managed/user/'+ user._id, user._rev); openidm.query("managed/user", { "_queryFilter": "/userName sw "user.1""}, ["userName", "_id"]); openidm.action('sync', 'performAction', content, params);
  13. 13. Copyright © 2015 ForgeRock, all rights reserved. 13 OpenIDM Services openidm.encrypt(value, cipher, alias); openidm.decrypt(value); openidm.isEncrypted(object); openidm.hash(value, algorithm); logger.info(string message, object... params); logger.debug(string message, object... params); logger.error(string message, object... params); logger.trace(string message, object... params); logger.warn(string message, object... params);
  14. 14. Copyright © 2015 ForgeRock, all rights reserved. 14 Where can scripts be triggered? •Scripts in Mappings (conf/sync.json) •Triggered by situationon (onCreate, onUpdate, onDelete, onLink, onUnlink) •Object filter (validSource, validTarget) •Correlating objects (correlationQuery, correlationScript) •Any reconciliation •Scripts inside properties •Scripts called in the managed object configuration (conf/managed.json) file •onCreate, onRead, onUpdate, onDelete, onValidate, onRetrieve, onStore, onSync, postCreate, postUpdate, and postDelete
  15. 15. Copyright © 2015 ForgeRock, all rights reserved. 15 Where can scripts be triggered? • Scripts called in the router configuration (conf/router.json) fileonRequest, onResponse, onFailure • Scripted Connectors Scripted SQL Scripted Groovy Scripted REST/CREST Scripted SAP Scripted SSH Scripted PowerShell
  16. 16. Copyright © 2015 ForgeRock, all rights reserved. 16 Scripting in OpenAM http://openam.forgerock.org/doc/bootstrap/dev-guide/index.html#chap-scripting Draft documentation
  17. 17. Copyright © 2015 ForgeRock, all rights reserved. 17 Overview • Script Design and Workflow in OpenAM • Device Registration and Authentication –A more standard way of using the Scripting Framework –Demo • The Scripting API –Useful in geo fencing using reverse geocode lookup –Useful for policy or role-based authentication –Demo
  18. 18. Copyright © 2015 ForgeRock, all rights reserved. 18 Scripting Design – The Client Side Script •Authentication modules can use Client Side scripts and Server Side scripts (JavaScript or Groovy) •The use of a Client Side script is optional •Used as a data collection mechanism – Geo location / Fonts / Screen resolution / Timezone – Browser Plugins •Returns collected data in: clientScriptOutputData –A string you could .split() to pull all client-side data
  19. 19. Copyright © 2015 ForgeRock, all rights reserved. 19 The Client Side Script
  20. 20. Copyright © 2015 ForgeRock, all rights reserved. 20 Scripting Design – The Server Side Script •Handles Authentication •Has access to: –clientScriptOutputData (sent by the client script) –Scripting API •Must set the authentication state to –SUCCESS or –FAILED
  21. 21. Copyright © 2015 ForgeRock, all rights reserved. 21 The Server Side Script
  22. 22. Copyright © 2015 ForgeRock, all rights reserved. 22 Device Registration and Authentication in OpenAM
  23. 23. Copyright © 2015 ForgeRock, all rights reserved. 23 Device Authentication
  24. 24. Copyright © 2015 ForgeRock, all rights reserved. 24 Device Authentication
  25. 25. Copyright © 2015 ForgeRock, all rights reserved. 25 Device Authentication
  26. 26. Copyright © 2015 ForgeRock, all rights reserved. 26 Device Id (Match) •Predefined scripts in OpenAM: –Client side script –Server side script •Scripts are referenced inside Module instances •Depends on other modules: –For user identification (Data Store) –Second factor on failure (HOTP) –Device Id Save!
  27. 27. Copyright © 2015 ForgeRock, all rights reserved. 27 Device Id (Match) •Checks different criteria using Client Side Script –User agents –Installed fonts –Installed plugins –resolution/color depth associated with a display –time zone, geo location •Adds penalty points if one criteria is missed •Checks sum of penalty points against a threshold
  28. 28. Copyright © 2015 ForgeRock, all rights reserved. 28 Device Id (Save) •Prompts the user before saving the device profile –Can be configured to auto save •Will save the device profiles in the user’s profile – Number of profiles stored can be changed from a default 5 •Authentication chain is usually configured to not reach this module, if the device was recognized by the Device Id (Match) module –Device Id Match configured as Sufficient ensures processing stops if a profile match was found
  29. 29. Copyright © 2015 ForgeRock, all rights reserved. 29 Demo – Device Fingerprinting
  30. 30. Copyright © 2015 ForgeRock, all rights reserved. 30 Scripted Authentication in OpenAM
  31. 31. Copyright © 2015 ForgeRock, all rights reserved. 31 Scripted Authentication
  32. 32. Copyright © 2015 ForgeRock, all rights reserved. 32 HTTP Commons Framework (coming in OpenAM 13) •org.forgerock.http.protocol.* –Request / Cookie / Entity / Header / Headers / Response •org.forgerock.util.promise.* –Promises –A Promise represents the result of an asynchronous task. •groovy.json.JsonSlurper –JSON parser used in the scripts •API Documentation –http://commons.forgerock.org/bom/apidocs/index.html
  33. 33. Copyright © 2015 ForgeRock, all rights reserved. 33 Scripting API •Make REST API calls from the Server Side Script! –Use the new HTTP Commons Framework to make a new Request –httpClient.send(Request), returns a Promise –Promise.get(), returns a Response –Parse the Response using JsonSlurper! •Accessing Authentication State –OpenAM passes to Server Side script: •authState, sharedState (contains password also) •username
  34. 34. Copyright © 2015 ForgeRock, all rights reserved. 34 Scripting API •Logging –logger • error() / message() / warning() •Accessing Profile Data –idRepository • getAttribute / setAttribute / addAttribute •Access the original login request using requestData object –getHeader(name) / getHeaders(name) –getParameter(name) / getParameters(name)
  35. 35. Copyright © 2015 ForgeRock, all rights reserved. 35 Policy Configuration for Demo
  36. 36. Copyright © 2015 ForgeRock, all rights reserved. 36 Scripting Demo Acquire ssoToken using REST Evaluate policy for the resource “authn/self” and “authn/view”
  37. 37. Copyright © 2015 ForgeRock, all rights reserved. 37 Scripting Demo Policy decision Check Policy decision and permit if requested actions ALLOWED Logout the service account or the user
  38. 38. Copyright © 2015 ForgeRock, all rights reserved. 38 Demo – Scripted Authentication
  39. 39. Copyright © 2015 ForgeRock, all rights reserved. 39 Other Possibilities •Policy condition scripting –attach a script as a policy condition! •OIDC Claims data –Scripts that gather and populate the claims in a request when issuing an ID token or making a request to the userinfo endpoint.
  40. 40. Copyright © 2015 ForgeRock, all rights reserved. 40 IDENTITY SUMMIT SERIES 2015: EUROPE 5 November Amsterdam 10 November Düsseldorf Visit summits.forgerock.com
  41. 41. Copyright © 2015 ForgeRock, all rights reserved. 41 Thank You! Questions?

×