webinar: extend the power of the forgerock identity platform through scripting

Copyright © 2015 ForgeRock, all rights reserved. 1

Extend The Power of The ForgeRock Identity Platform

Through Scripting

Javed Shah, Senior Sales EngineerAnders Askåsen, Senior Technical Product Manager

October 27th, 2015


Fastest-growing Open Source Identity Security Software company in the world

Our Investors: Our Origins:

ForgeRock

• Founded 2010 with high double digit growth every year since inception

• Over 300 full time employees

• Over 400 customers

• Active in over 30 countries

• Locations: San Francisco, Vancouver (US), Bristol (UK), London (UK), Grenoble (F), Oslo, Singapore,Düsseldorf (D)

Award winning platform drivinginnovation worldwide

• Gold winner of the CEO World awards 2014

• Silver Winner in the 6th Annual GoldenBridge Award 2014

• Silver winner for the Fastest-Growing Company of the Year in 2014

• Best in Biz Awards 2014


Extensible Software

“As companies get serious about digital transformation,we see investments shifting toward extensible software platforms

used to build and managea differentiated customer experience.”

Source (March 2015):http://blogs.forrester.com/michael_yamnitsky/15-03-31-modern_software_platforms_are_in_hypergrowth


The Platform


The ForgeRock Identity Platform

(Identity Management) (Access Management)

(Directory Services) (Identity Gateway)


Unified Platform

Web Services Security

Session Management Synchronization Auditing

LDAPv3 REST/JSON

Replication Access Control

Schema Management

Caching

Auditing

Monitoring

Groups

Password Policy

Active Directory Synch

Reporting

Authentication Authorization Provisioning Password Management Authentication OpenID Connect

Federation Entitlements Workflow Engine Reconciliation Password Replay OAuth2

Adaptive Risk Single Sign-on Registration Role Provisioning Message

Transformation SAML2

Throttling Scripting

Com

mon

RES

T A

PI

Com

mon

Use

r Int

erfa

ce

Single Integrated, Open Platform


Deployment & Config


Deployment & Config#!/bin/sh

URL="http://openam.example.com:8080”

AM="${URL}/openam”

AUTHN="${AM}/identity/authenticate”

TOK=`curl -s -k --request POST --data "username=amadmin&password=cangetinam" $AUTHN | cut -f2 -d=`

echo "=> OpenAM Token: ${TOK}" ; echo ""

# --data @body.json


Deployment & Configcurl --request POST --header "iplanetDirectoryPro: ${TOK}” --header "Content-Type: application/json” --data \

'{"client_id":["mobile"],

"realm":["/"],

"userpassword":["password"],

"com.forgerock.openam.oauth2provider.clientType":["Confidential"],

"com.forgerock.openam.oauth2provider.redirectionURIs":

["'"${URL}/oauth2/oauth2.htm"'","'"${URL}/oIDc/openidc.htm"'"],

"com.forgerock.openam.oauth2provider.scopes":["cn|Name","mail|Email","openid","profile"],

"com.forgerock.openam.oauth2provider.defaultScopes":["cn"],

"com.forgerock.openam.oauth2provider.responseTypes":["code","token","id_token","code token","token id_token","code id_token","code token id_token"],

"com.forgerock.openam.oauth2provider.idTokenSignedResponseAlg":["HS256"],

"com.forgerock.openam.oauth2provider.name":["Test Client"],

"com.forgerock.openam.oauth2provider.description":["OIDC 1.0 Client"]

}' \

${AM}/frrest/oauth2/client/?_action=create


Scripting in OpenIDM


Scripted Connectors•Scripted Groovy Connector Implementations

–Scripted SQL–Scripted REST–Scripted CREST–Scripted Azure

•Samples provided!

•Microsoft Integration – The Scripted PowerShell Connector•Samples provided illustrating Active Directory


OpenIDM Servicesopenidm.create("managed/user", bjensen, map);openidm.patch("managed/user/" + user._id, null, [{"operation" : "replace", "field" : "/password", "value": "Passw0rd"}]);openidm.read("managed/user/"+userId);openidm.update('managed/user/' + source._id, null, user_read);openidm.delete('managed/user/'+ user._id, user._rev);openidm.query("managed/user", { "_queryFilter": "/userName sw \"user.1\""}, ["userName", "_id"]);openidm.action('sync', 'performAction', content, params);


OpenIDM Servicesopenidm.encrypt(value, cipher, alias);openidm.decrypt(value);openidm.isEncrypted(object);openidm.hash(value, algorithm);

logger.info(string message, object... params); logger.debug(string message, object... params);logger.error(string message, object... params);logger.trace(string message, object... params);logger.warn(string message, object... params);


Where can scripts be triggered?•Scripts in Mappings (conf/sync.json)

•Triggered by situationon (onCreate, onUpdate, onDelete, onLink, onUnlink)•Object filter (validSource, validTarget)•Correlating objects (correlationQuery, correlationScript)•Any reconciliation•Scripts inside properties

•Scripts called in the managed object configuration (conf/managed.json) file

•onCreate, onRead, onUpdate, onDelete, onValidate, onRetrieve, onStore, onSync, postCreate, postUpdate, and postDelete


Where can scripts be triggered?• Scripts called in the router configuration (conf/router.json)

fileonRequest, onResponse, onFailure

• Scripted ConnectorsScripted SQL

Scripted Groovy

Scripted REST/CREST

Scripted SAP

Scripted SSH

Scripted PowerShell


Scripting in OpenAM

http://openam.forgerock.org/doc/bootstrap/dev-guide/index.html#chap-scriptingDraft documentation

http://openam.forgerock.org/doc/bootstrap/dev-guide/index.html%23chap-scripting







Overview• Script Design and Workflow in OpenAM• Device Registration and Authentication

–A more standard way of using the Scripting Framework–Demo

• The Scripting API–Useful in geo fencing using reverse geocode lookup–Useful for policy or role-based authentication–Demo


Scripting Design – The Client Side Script

•Authentication modules can use Client Side scripts and Server Side scripts (JavaScript or Groovy)•The use of a Client Side script is optional•Used as a data collection mechanism

– Geo location / Fonts / Screen resolution / Timezone– Browser Plugins

•Returns collected data in: clientScriptOutputData–A string you could .split() to pull all client-side data


The Client Side Script


Scripting Design – The Server Side Script

•Handles Authentication•Has access to:

–clientScriptOutputData (sent by the client script)–Scripting API

•Must set the authentication state to–SUCCESS or–FAILED


The Server Side Script


Device Registration and Authentication in OpenAM


Device Authentication


Device Id (Match)•Predefined scripts in OpenAM:

–Client side script–Server side script

•Scripts are referenced inside Module instances•Depends on other modules:

–For user identification (Data Store)–Second factor on failure (HOTP)–Device Id Save!


Device Id (Match)•Checks different criteria using Client Side Script

–User agents–Installed fonts–Installed plugins–resolution/color depth associated with a display–time zone, geo location

•Adds penalty points if one criteria is missed•Checks sum of penalty points against a threshold


Device Id (Save)•Prompts the user before saving the device profile

–Can be configured to auto save

•Will save the device profiles in the user’s profile– Number of profiles stored can be changed from a default 5

•Authentication chain is usually configured to not reach this module, if the device was recognized by the Device Id (Match) module

–Device Id Match configured as Sufficient ensures processing stops if a profile match was found


Demo – Device Fingerprinting


Scripted Authentication in OpenAM


Scripted Authentication


HTTP Commons Framework (coming in OpenAM 13)

•org.forgerock.http.protocol.*–Request / Cookie / Entity / Header / Headers / Response

•org.forgerock.util.promise.*–Promises –A Promise represents the result of an asynchronous task.

•groovy.json.JsonSlurper –JSON parser used in the scripts

•API Documentation–http://commons.forgerock.org/bom/apidocs/index.html

http://commons.forgerock.org/bom/apidocs/index.html

http://commons.forgerock.org/bom/apidocs/index.html


Scripting API•Make REST API calls from the Server Side Script!

–Use the new HTTP Commons Framework to make a new Request –httpClient.send(Request), returns a Promise–Promise.get(), returns a Response–Parse the Response using JsonSlurper!

•Accessing Authentication State–OpenAM passes to Server Side script:

•authState, sharedState (contains password also)•username


Scripting API•Logging

–logger• error() / message() / warning()

•Accessing Profile Data–idRepository

• getAttribute / setAttribute / addAttribute

•Access the original login request using requestData object–getHeader(name) / getHeaders(name)–getParameter(name) / getParameters(name)


Policy Configuration for Demo


Scripting DemoAcquire ssoToken using REST

Evaluate policy for the resource “authn/self” and “authn/view”


Scripting DemoPolicy decision

Check Policy decision and permit if requested actions ALLOWED

Logout the service account or the user


Demo – Scripted Authentication


Other Possibilities•Policy condition scripting

–attach a script as a policy condition!

•OIDC Claims data–Scripts that gather and populate the claims in a request when issuing an ID token or making a request to the userinfo endpoint.


IDENTITY SUMMIT SERIES 2015: EUROPE

5 NovemberAmsterdam

10 November Düsseldorf

Visit summits.forgerock.com


Thank You!

Questions?