The document outlines the capabilities and features of the ForgeRock Identity Platform, emphasizing its extensibility and support for digital transformation in identity security. It includes technical details about its deployment, configuration, and scripting functionalities, highlighting the platform's innovations in identity management and authentication. Additionally, it describes the company’s growth, customer base, and international presence since its founding in 2010.

1. Copyright © 2015 ForgeRock, all rights reserved. 1
Extend The Power of
The ForgeRock Identity Platform
Through Scripting
Javed Shah, Senior Sales Engineer
Anders Askåsen, Senior Technical Product Manager
October 27th, 2015

2. Copyright © 2015 ForgeRock, all rights reserved. 2
Fastest-growing Open Source Identity
Security Software company in the world
Our Investors: Our Origins:
ForgeRock
• Founded 2010 with high double digit growth every year
since inception
• Over 300 full time employees
• Over 400 customers
• Active in over 30 countries
• Locations: San Francisco, Vancouver (US), Bristol
(UK), London (UK), Grenoble (F), Oslo, Singapore,
Düsseldorf (D)
Award winning platform driving
innovation worldwide
• Gold winner of the CEO World awards 2014
• Silver Winner in the 6th Annual Golden
Bridge Award 2014
• Silver winner for the Fastest-Growing Company of the
Year in 2014
• Best in Biz Awards 2014

3. Copyright © 2015 ForgeRock, all rights reserved. 3
Extensible Software
“As companies get serious about digital transformation,
we see investments shifting toward extensible software platforms
used to build and manage
a differentiated customer experience.”
Source (March 2015):
http://blogs.forrester.com/michael_yamnitsky/15-03-31-modern_software_platforms_are_in_hypergrowth

4. Copyright © 2015 ForgeRock, all rights reserved. 4
The Platform

5. Copyright © 2015 ForgeRock, all rights reserved. 5
The ForgeRock Identity Platform
(Identity Management) (Access Management)
(Directory Services) (Identity Gateway)

6. Copyright © 2015 ForgeRock, all rights reserved. 6
Unified Platform
Web Services
Security
Session
Management
Synchronization Auditing
LDAPv3 REST/JSON
Replication Access Control
Schema
Management
Caching
Auditing
Monitoring
Groups
Password Policy
Active
Directory Synch
Reporting
Authentication Authorization Provisioning
Password
Management
Authentication OpenID Connect
Federation Entitlements Workflow Engine Reconciliation Password Replay OAuth2
Adaptive Risk
Single
Sign-on
Registration Role Provisioning
Message
Transformation
SAML2
Throttling Scripting
CommonRESTAPI
CommonUserInterface
Single Integrated, Open Platform

7. Copyright © 2015 ForgeRock, all rights reserved. 7
Deployment & Config

8. Copyright © 2015 ForgeRock, all rights reserved. 8
Deployment & Config
#!/bin/sh
URL="http://openam.example.com:8080”
AM="${URL}/openam”
AUTHN="${AM}/identity/authenticate”
TOK=`curl -s -k --request POST --data "username=amadmin&password=cangetinam" $AUTHN | cut -f2 -d=`
echo "=> OpenAM Token: ${TOK}" ; echo ""
# --data @body.json

9. Copyright © 2015 ForgeRock, all rights reserved. 9
Deployment & Config
curl --request POST --header "iplanetDirectoryPro: ${TOK}” --header "Content-Type: application/json” --data
'{"client_id":["mobile"],
"realm":["/"],
"userpassword":["password"],
"com.forgerock.openam.oauth2provider.clientType":["Confidential"],
"com.forgerock.openam.oauth2provider.redirectionURIs":
["'"${URL}/oauth2/oauth2.htm"'","'"${URL}/oIDc/openidc.htm"'"],
"com.forgerock.openam.oauth2provider.scopes":["cn|Name","mail|Email","openid","profile"],
"com.forgerock.openam.oauth2provider.defaultScopes":["cn"],
"com.forgerock.openam.oauth2provider.responseTypes":["code","token","id_token","code token","token id_token","code id_token","code token
id_token"],
"com.forgerock.openam.oauth2provider.idTokenSignedResponseAlg":["HS256"],
"com.forgerock.openam.oauth2provider.name":["Test Client"],
"com.forgerock.openam.oauth2provider.description":["OIDC 1.0 Client"]
}'
${AM}/frrest/oauth2/client/?_action=create

10. Copyright © 2015 ForgeRock, all rights reserved. 10
Scripting in OpenIDM

11. Copyright © 2015 ForgeRock, all rights reserved. 11
Scripted Connectors
•Scripted Groovy Connector Implementations
–Scripted SQL
–Scripted REST
–Scripted CREST
–Scripted Azure
•Samples provided!
•Microsoft Integration – The Scripted PowerShell Connector
•Samples provided illustrating Active Directory

12. Copyright © 2015 ForgeRock, all rights reserved. 12
OpenIDM Services
openidm.create("managed/user", bjensen, map);
openidm.patch("managed/user/" + user._id, null,
[{"operation" : "replace", "field" : "/password", "value":
"Passw0rd"}]);
openidm.read("managed/user/"+userId);
openidm.update('managed/user/' + source._id, null,
user_read);
openidm.delete('managed/user/'+ user._id, user._rev);
openidm.query("managed/user", { "_queryFilter": "/userName
sw "user.1""}, ["userName", "_id"]);
openidm.action('sync', 'performAction', content, params);

13. Copyright © 2015 ForgeRock, all rights reserved. 13
OpenIDM Services
openidm.encrypt(value, cipher, alias);
openidm.decrypt(value);
openidm.isEncrypted(object);
openidm.hash(value, algorithm);
logger.info(string message, object... params);
logger.debug(string message, object... params);
logger.error(string message, object... params);
logger.trace(string message, object... params);
logger.warn(string message, object... params);

14. Copyright © 2015 ForgeRock, all rights reserved. 14
Where can scripts be triggered?
•Scripts in Mappings (conf/sync.json)
•Triggered by situationon (onCreate, onUpdate, onDelete, onLink, onUnlink)
•Object filter (validSource, validTarget)
•Correlating objects (correlationQuery, correlationScript)
•Any reconciliation
•Scripts inside properties
•Scripts called in the managed object configuration
(conf/managed.json) file
•onCreate, onRead, onUpdate, onDelete, onValidate, onRetrieve, onStore,
onSync, postCreate, postUpdate, and postDelete

15. Copyright © 2015 ForgeRock, all rights reserved. 15
Where can scripts be triggered?
• Scripts called in the router configuration (conf/router.json)
fileonRequest, onResponse, onFailure
• Scripted Connectors
Scripted SQL
Scripted Groovy
Scripted REST/CREST
Scripted SAP
Scripted SSH
Scripted PowerShell

16. Copyright © 2015 ForgeRock, all rights reserved. 16
Scripting in OpenAM
http://openam.forgerock.org/doc/bootstrap/dev-guide/index.html#chap-scripting
Draft documentation

17. Copyright © 2015 ForgeRock, all rights reserved. 17
Overview
• Script Design and Workflow in OpenAM
• Device Registration and Authentication
–A more standard way of using the Scripting Framework
–Demo
• The Scripting API
–Useful in geo fencing using reverse geocode lookup
–Useful for policy or role-based authentication
–Demo

18. Copyright © 2015 ForgeRock, all rights reserved. 18
Scripting Design –
The Client Side Script
•Authentication modules can use Client Side scripts and Server Side
scripts (JavaScript or Groovy)
•The use of a Client Side script is optional
•Used as a data collection mechanism
– Geo location / Fonts / Screen resolution / Timezone
– Browser Plugins
•Returns collected data in: clientScriptOutputData
–A string you could .split() to pull all client-side data

19. Copyright © 2015 ForgeRock, all rights reserved. 19
The Client Side Script

20. Copyright © 2015 ForgeRock, all rights reserved. 20
Scripting Design –
The Server Side Script
•Handles Authentication
•Has access to:
–clientScriptOutputData (sent by the client script)
–Scripting API
•Must set the authentication state to
–SUCCESS or
–FAILED

21. Copyright © 2015 ForgeRock, all rights reserved. 21
The Server Side Script

22. Copyright © 2015 ForgeRock, all rights reserved. 22
Device Registration and Authentication in
OpenAM

23. Copyright © 2015 ForgeRock, all rights reserved. 23
Device Authentication

24. Copyright © 2015 ForgeRock, all rights reserved. 24
Device Authentication

25. Copyright © 2015 ForgeRock, all rights reserved. 25
Device Authentication

26. Copyright © 2015 ForgeRock, all rights reserved. 26
Device Id (Match)
•Predefined scripts in OpenAM:
–Client side script
–Server side script
•Scripts are referenced inside Module instances
•Depends on other modules:
–For user identification (Data Store)
–Second factor on failure (HOTP)
–Device Id Save!

27. Copyright © 2015 ForgeRock, all rights reserved. 27
Device Id (Match)
•Checks different criteria using Client Side Script
–User agents
–Installed fonts
–Installed plugins
–resolution/color depth associated with a display
–time zone, geo location
•Adds penalty points if one criteria is missed
•Checks sum of penalty points against a threshold

28. Copyright © 2015 ForgeRock, all rights reserved. 28
Device Id (Save)
•Prompts the user before saving the device profile
–Can be configured to auto save
•Will save the device profiles in the user’s profile
– Number of profiles stored can be changed from a default 5
•Authentication chain is usually configured to not reach this module,
if the device was recognized by the Device Id (Match) module
–Device Id Match configured as Sufficient ensures processing stops if a
profile match was found

29. Copyright © 2015 ForgeRock, all rights reserved. 29
Demo – Device Fingerprinting

30. Copyright © 2015 ForgeRock, all rights reserved. 30
Scripted Authentication in OpenAM

31. Copyright © 2015 ForgeRock, all rights reserved. 31
Scripted Authentication

32. Copyright © 2015 ForgeRock, all rights reserved. 32
HTTP Commons Framework
(coming in OpenAM 13)
•org.forgerock.http.protocol.*
–Request / Cookie / Entity / Header / Headers / Response
•org.forgerock.util.promise.*
–Promises
–A Promise represents the result of an asynchronous task.
•groovy.json.JsonSlurper
–JSON parser used in the scripts
•API Documentation
–http://commons.forgerock.org/bom/apidocs/index.html

33. Copyright © 2015 ForgeRock, all rights reserved. 33
Scripting API
•Make REST API calls from the Server Side Script!
–Use the new HTTP Commons Framework to make a new Request
–httpClient.send(Request), returns a Promise
–Promise.get(), returns a Response
–Parse the Response using JsonSlurper!
•Accessing Authentication State
–OpenAM passes to Server Side script:
•authState, sharedState (contains password also)
•username

34. Copyright © 2015 ForgeRock, all rights reserved. 34
Scripting API
•Logging
–logger
• error() / message() / warning()
•Accessing Profile Data
–idRepository
• getAttribute / setAttribute / addAttribute
•Access the original login request using requestData object
–getHeader(name) / getHeaders(name)
–getParameter(name) / getParameters(name)

35. Copyright © 2015 ForgeRock, all rights reserved. 35
Policy Configuration for Demo

36. Copyright © 2015 ForgeRock, all rights reserved. 36
Scripting Demo
Acquire ssoToken using REST
Evaluate policy for the resource “authn/self” and “authn/view”

37. Copyright © 2015 ForgeRock, all rights reserved. 37
Scripting Demo
Policy decision
Check Policy decision and permit if requested actions ALLOWED
Logout the service account or the user

38. Copyright © 2015 ForgeRock, all rights reserved. 38
Demo – Scripted Authentication

39. Copyright © 2015 ForgeRock, all rights reserved. 39
Other Possibilities
•Policy condition scripting
–attach a script as a policy condition!
•OIDC Claims data
–Scripts that gather and populate the claims in a request when issuing
an ID token or making a request to the userinfo endpoint.

40. Copyright © 2015 ForgeRock, all rights reserved. 40
IDENTITY SUMMIT SERIES 2015: EUROPE
5 November
Amsterdam
10 November
Düsseldorf
Visit summits.forgerock.com

41. Copyright © 2015 ForgeRock, all rights reserved. 41
Thank You!
Questions?