The ForgeRock is a rolling stone at the moment and gathering no moss. Here are some of the things we have been up to recently:

• Revamping our website
• Fixing known OpenSSO issues in OpenAM
• Continuing development of OpenIDM
• Expanding our ForgeRock organization in the US and UK
• Unveiling Open Source guru Simon Phipps as Chief Strategy Officer
• Talking to James Gosling
• Supporting customers like BetFair and the Norwegian Railways as they go into production on OpenAM

As it happens, our Rock is at the top of a big hill and we are still picking up speed

I hope all attendees enjoyed the summit as much as I have. It’s been a real pleasure to meet face to face some of the project members, customers and partners I’ve interacted with, over emails and phone for the last 3 years, and to see again colleagues, ex-coworkers…

All the photos that I’ve captured during the summit are now publicly available on Flickr.

See you at the next summit !

[Update on June 19] The presentations from the summit are now online. Goto the Summit page and click on the Agenda.

Join us for the Open Identity Stack Summit Europe, on 14-16 October 2013 at the Domaine de Béhoust, France.

We will be gathering at ForgeRock’s luxe Chateau, Domaine de Béhoust (just outside Paris), where our Open Identity Stack community will delve into OpenAM, OpenIDM, and OpenDJ best practices, use cases, how-tos, and more.

We’ve been saying for a long time that identity & access management (IAM) must be reconstructed to adapt to today’s problems. Modern APIs, standards, scale, speed, and modular architecture are all needed for successful modern IAM deployments. The agenda will include dynamic working sessions addressing the latest IAM developments, including mobility, identity bridge, and customer case studies.

A call for papers is open. If you are doing something interesting with the Open Identity Stack and you would like to share the experience by presenting a session at the summit, send your proposal by September 4.

ForgeRock’s chateau is large, but registration is limited. Therefore, I encourage you to reserve your spot and register quickly !

If you want to get a feel of the atmosphere of the conference, check the photo album from the first ForgeRock Open Identity Summit or get a glimpse at the skills of one of our keynote speakers :
I hope to see you at ForgeRock’s chateau in October !

Last week, ForgeRock hosted its first european Open Identity Summit, in the “Chateau de Béhoust” just outside Paris. For two and half days, our 110+ visitors, a mix of customers, prospect customers, partners and consultants, could attend presentations, meet and greet with ForgeRock employees, have lengthy discussions with peers, exchanging experience or use case scenarios around the ForgeRock Open Identity Stack. All of this in a very relaxed and friendly atmosphere.

All of the presentations have been filmed and will be available shortly through our web site and the summit page. If you missed the event and want to get a feel of the content, please check Simon Moffat’s review.

As usual, I’ve taken a few pictures of the event.

Thanks to all attendees and sponsors of the event. And see you next year for the second edition of our ForgeRock summits.

The date has been set, the 2014 ForgeRock summit in United States will take place on the week of June 2nd, in Phoenix AZ.

Make sure you block the date in your calendar ! I hope to see you there.

And if you’re in Europe, don’t panic ! We are also planning an EMEA summit in the fall. The date and location will be announced later.

Photo by https://www.flickr.com/photos/tochis

There are conferences and there are Conferences. The Conferences are the ones that you remember, because they happened in unusual places, because they’ve had a different atmosphere, you’ve met lots of friendly and bright persons. They are the ones you leave with the satisfaction of having learned something, having received value, and you’re looking forward to come back next year.

The IRM Summit is one of these Conferences. The next European IRM Summit is taking place in November, 3 - 5, near Dublin, Ireland, at the Powerscourt Estate pictured here. It’s a 2 days event where you can learn and discuss about the Identity Relationship Management space, standards, platforms, solutions…There will be many presentations, demos, trainings, plenty of time for discussions and meetings, a free half day Kantara Initiative workshop around “Trusted IDentity Exchange (TIDX)”, and some fun. I can already hear the fiddle, the pipes, the harp and smell the Guinness ! And I hope the weather will let us enjoy the wonderful garden.

Check out the agenda and the list of speakers, and don’t wait until last minute to register. While there are hundreds of rooms available, they are still counted and limited. Last year’s summit was sold out !

I’m looking forward to see you in beautiful Ireland !

Last week at the nice Powerscourt Estate, outside Dublin, Ireland, ForgeRock hosted the European Identity Relationship Management Summit, attended by over 200 partners, customers, prospects, users of ForgeRock technologies. What a great European IRMSummit it was !

If you haven’t been able to attend, here’s some highlights:

I heard many talks and discussions about Identity being the cornerstone in the digital transformation of enterprises and organizations. It shifting identity projects from a cost center to revenue generators.

There was lots of focus on consumer identity and access management, with some perspectives on current identity standards and what is going to be needed from the IRM solutions. We’ve also heard from security and analytics vendors, demonstrating how ForgeRock’s Open Identity Stack can be combined with the network security layer or with analytics tools to increase security and context awareness when controlling access.

User Managed Access is getting more and more real, as the specifications are getting close to be finalised and ForgeRock announced the OpenUMA initiative for foster ideas and code around it. See forgerock.org/openuma.

Many talks about Internet of Things and especially demonstration around defining the relationship between a Thing and a User, securing the access to the data produced by the Thing. We’ve seen a door lock being unlocked with a NFC enabled mobile phone, by provisioning over the air the appropriate credentials, a smart coffee machine able to identify the coffee type and the user, pushing the data to a web service, and asking the user for consent to share. There’s a common understanding that all the things will have identities and relations with other identities.

There were several interesting discussions and presentations about Digital Citizens, illustrated by reports from deployments in Norway, Switzerland, Nigeria, and the European Commission cross-border authentication initiatives STORK and eIDAS…

Half a day was dedicated to ForgeRock products, with introductory trainings, demonstrations of coming features in OpenAM, OpenDJ, OpenIDM and OpenIG. During the Wednesday afternoon, I did 2 presentations on OpenIG, demonstrating the ease of integration of OAuth2.0 and OpenID Connect to protect applications and APIs, and on OpenDJ, demonstrating the flexibility and power of the REST to LDAP interface.

All presentations and materials are available online as pdf and now as videos on the ForgeRock’s YouTube page. You can also find here a short summary of the Summit in a video produced by Markus.

The summit wouldn’t be such a great conference if there was no plan for social interactions and fun. This year we had a nice dinner in the Powerscourt house (aka the Castle) followed by live music in the pub. The band was great, but became even better when Joni and Eve joined them for a few songs, for the great pleasure of all the guests.

Of course, I have to admit that the best part of the IRM Summit in Ireland was the pints of Guinness !

To all attendees, thank you for your participation, the interesting discussions and the input to our products. I’m looking forward to see you again next year for the 2015 edition. Sláinte !

As usual, you can find the photos that I’ve taken at the Powerscourt Estate on Flickr. Feel free to copy for non commercial use, and if you do republish them, I would appreciate getting the credit for them.

[Updated on Nov 11] Added link to the highlight video produced by Markus
[Updated on Nov 13] Added link to the slideshare folder where all presentations have been published
[Updated on Nob 24] Added link to the all videos on ForgeRock’s YouTube page

This past Thursday ForgeRock released OpenAM 12.0.0, a major update with so many improvements and new features that this post only hits a few highlights. You can download OpenAM 12.0.0 from http://forgerock.com/download-stack/.

OpenAM provides an access management solution handling authentication and authorization for all sorts of applications, no doubt including yours. OpenAM does SSO with delegated authentication to over 20 authn services out of the box, authorization both though centralized policies and also using delegated approaches (OAuth 2.0, etc.), security token brokering and more. OpenAM supports a rich set of standards like SAML, OAuth 2.0, OpenID Connect, GSMA Mobile Connect, not to mention standards for authentication. Of course OpenAM is open source and fully extensible as well. The OpenAM service runs as a web application in a variety of containers such as JBoss, Tomcat, WebLogic and WebSphere. OpenAM policy enforcement agents give you out-of-the box protection for many web sites and web applications, though you can also do your own enforcement using OpenAM’s REST APIs.

As a major release, OpenAM 12.0.0 is leap forward in many areas:

• Default end user pages now use responsive, client-side layout with lots of self-service features (self-registration, password reset, app management, etc.) ready to go.
• Wizards make it a snap to delegate authentication to Facebook, Google, MSN and other online providers.
• Policy administration works through a new wizard-based editor, and both policy administration and policy evaluation have well-defined REST APIs for all operations.
• Script language support for authentication modules let your scripted modules call out to other applications using JavaScript or Groovy, making it easier to integrate external risk management in addition to OpenAM’s built-in capabilities.
• Security token services now come with a REST API.
• OpenAM supports OAuth 2.0 and OpenID Connect 1.0 more fully than before, with additional support for GSMA Mobile Connect.
• And much more…

To see the whole list of features, start by reading the Release Notes for details. Full documentation is available on docs.forgerock.org.

When you start using OpenAM 12.0.0 and find that you have questions, in addition to the mailing list ForgeRock also now provides an OpenAM Forum. We look forward to hearing from you.

Thanks to Chris Lee, the most recent technical writer at ForgeRock, there is now a new visual design for the snapshot documentation for our open source projects.
Check it out on the OpenDJ Administration Guide, the OpenDJ SDK Developer’s Guide, the OpenIDM Integrator’s Guide or the Guide to OpenIG…

Thanks to Chris Lee, the most recent technical writer at ForgeRock, there is now a new visual design for the snapshot documentation for our open source projects.
Check it out on the OpenDJ Administration Guide, the OpenDJ SDK Developer’s Guide, the OpenIDM Integrator’s Guide or the Guide to OpenIG…

This blog post was first published @ www.fedji.com, included here with permission.

In a less than 2 minute video that follows, you’ll see me setting up E-mail service in ForgeRock OpenAM, a facility that is used by OpenAM features such User Self Registration. Because I know for certain I’ll have to refer to this video on a number of occasions in future while demonstrating other capabilities of OpenAM, I’ve decided to keep this video tutorial separate and independent. It’s tiny, of course:

Enjoy!

This blog post was first published @ www.fedji.com, included here with permission.

ForgeRock OpenAM is not meant for User Provisioning. Consider, ForgeRock OpenIDM for the same. Still, OpenAM does offer a facility for User Self Registration. In this segment, let’s have a look at how it’s done using the User Interface of OpenAM (XUI). As you can guess, it’s not a difficult task at all. Have a look.

Before I forget, the E-mail Service needs to be configured in OpenAM for the User Self Registration to work, so if you don’t know how that’s done, we have another video here.

Enjoy!

Security vulnerabilities have been discovered in OpenAM components. These issues are present in versions of OpenAM including 12.0.x and 11.0.x.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues, which are also included in the 12.0.2 maintenance release.

The maximum severity of issues in this advisory is Critical. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to OpenAM 12.0.2 or deploy the relevant patches. Patch bundles are available for the following versions:

• 11.0.3
• 12.0.0
• 12.0.1

Customers can obtain these patch bundles from BackStage.

Issue #201506-01: Thread-safety issues with CTS when encryption is enabled

Product: OpenAM
Affected versions: 11.0.0-11.0.3 and 12.0.0-12.0.1
Fixed versions: 12.0.2
Component: Core Server, Server Only
Severity: Critical

When the Core Token Service token encryption is enabled and the system is under a heavy load, it is possible that incorrect session/SAML/OAuth2 tokens are returned by the CTS.

Workaround:

Disable token encryption by setting the following property to false:

com.sun.identity.session.repository.enableEncryption

in the OpenAM console via Configuration -> Servers and Sites -> Default Server Settings -> Advanced or via ssoadm:

ssoadm update-server-cfg --servername default --adminid amadmin --password-file /tmp/pwd.txt --attributevalues com.sun.identity.session.repository.enableEncryption=false

This setting is false by default.

Note:

By changing this setting, any existing encrypted tokens stored in CTS will become unreadable by OpenAM.

Resolution:
Use the workaround or update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201506-02: Possible user impersonation when using OpenAM as an OAuth2/OIDC Provider

Product: OpenAM
Affected versions: 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.1
Fixed versions: 12.0.2
Component: Core Server, Server Only
Severity: High

When using multiple realms, it is possible for an authenticated user in realmA to acquire OAuth2 and OpenID Connect tokens that correspond to realmB.

Workaround:

None.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

This blog post was first published @ www.fedji.com, included here with permission.

In an earlier post, we saw User Self Registration in ForgeRock OpenAM using XUI. It’s likely that you may not want to use the UI that comes with OpenAM, but may have reasons to build your own UI/Application on the REST API to operate on ForgeRock’s Access Management Solution. Keeping that in mind, a discussion on User Self Registration in OpenAM is incomplete without showing you how it is done using REST. Like many other examples you may already be familiar with around REST calls to ForgeRock products, you’ll see the usage of simple, yet powerful ‘curl’ to invoke REST calls to OpenAM for Self Registering a User. Here’s a list of related video blogs that you may want to watch before watching the one that’s embedded below.

– User Self Registration in ForgeRock OpenAM Part I – Using XUI
– E-mail Service Configuration in ForgeRock OpenAM

If you are ready, let’s go:

This blog post was first published @ http://blogs.forgerock.org/petermajor/, included here with permission.

The ssoadm command line tool is a quite powerful ally if you want to set up your OpenAM environment without performing any operation through the user interface, i.e. when you just want to script everything.

Whilst the tool itself allows you to do almost anything with the OpenAM configuration, finding the right set of commands for performing a certain task, is not always that straightforward… In today’s example we will try to figure out which commands to use to set up an OAuth2 provider.

When using the Common Tasks wizard to set up an OAuth2 Provider we can see that there are essentially two things that the wizard does for us:

• Configure a realm level service for the OAuth2 Provider
• Set up a policy to control access to the /oauth2/authorize endpoint

Setting up a realm level service

Well, we know that we are looking for something that sets up a service, so let’s see what command could help us:

$ openam/bin/ssoadm | grep -i service -B 1
...
--
    add-svc-realm
        Add service to a realm. 
--
...

Well, we want to add a service to a realm, so add-svc-realm sounds like a good fit. Let’s see what parameters it has:

$ openam/bin/ssoadm add-svc-realm
...
Options:
    --realm, -e
        Name of realm.

    --servicename, -s
        Service Name.

    --attributevalues, -a
        Attribute values e.g. homeaddress=here.

    --datafile, -D
        Name of file that contains attribute values data.

Alright, so the realm is straightforward, but what should we use for servicename and datafile?

Each service in OpenAM has a service schema that describes what kind of attributes can that service contain and with what syntaxes/formats/etc. Since all the default service definitions can be found in ~/openam/config/xml directory, let’s have a look around and see if there is anything OAuth2 related:

$ ls ~/openam/config/xml
... OAuth2Provider.xml ...

After opening up OAuth2Provider.xml we can find the service name under the name attribute of the Service element (happens to be OAuth2Provider).

So the next question is what attributes should you use to populate the service? All the attributes are defined in the very same service definition XML file, so it’s not too difficult to figure out what to do now:

$ echo "forgerock-oauth2-provider-authorization-code-lifetime=60
forgerock-oauth2-provider-refresh-token-lifetime=600
forgerock-oauth2-provider-access-token-lifetime=600" > attrs.txt
$ openam/bin/ssoadm add-svc-realm -e / -s OAuth2Provider -u amadmin -f .pass -D attrs.txt

Creating a policy

Creating a policy is a bit more complex since 12.0.0 and the introduction of XACML policies, but let’s see what we can do about that.

Using ssoadm create-xacml

The XACML XML format is not really pleasant for the eyes, so I would say that you better create that policy using the policy editor first, and then export that policy in XACML format, so that you can automate this flow.

Once you have the policy in XACML format, the ssoadm command itself would look something like this:

$ openam/bin/ssoadm create-xacml -e / -X oauth2-policy.xml -u amadmin -f .pass

Using the REST API

The policy REST endpoints introduced with 12.0.0 are probably a lot more friendly for creating policies, so let’s see how to do that:

$ echo '{
   "resources" : [
      "http://openam.example.com:8080/openam/oauth2/authorize?*"
   ],
   "subject" : {
      "type" : "AuthenticatedUsers"
   },
   "active" : true, 
   "name" : "OAuth2ProviderPolicy",
   "description" : "", 
   "applicationName" : "iPlanetAMWebAgentService",
   "actionValues" : {
      "POST" : true, 
      "GET" : true
   }
}' > policy.json
$ curl -v -H "iplanetdirectorypro: AQIC5wM...*" -H "Content-Type: application/json" -d @policy.json http://openam.example.com:8080/openam/json/policies?_action=create

Hope you found this useful.

This blog post was first published @ www.fedji.com, included here with permission.

This post is based on the ForgeRock Documentation on configuring OpenIG as SAML 2.0 Service Provider. The video logs embedded just below this write up is a visual representation of what is already there in the document that I mentioned above. For a detailed study, please read through the documentation and then sit back, relax and watch the demonstration in the screen-cast below

SAML 2.0 as you probably know is a standard to exchange information between a SAML authority (a Identity Provider a.k.a IDP) and a SAML Consumer (a Service Provider a.k.a SP). In the demonstration that follows ForgeRock OpenAM acts as an Identity Provider and ForgeRock OpenIG acts as a Service Provider. So the authentication of a user is done by the IDP, who will then send a piece of information (Assertion) to the SP that could contain the attributes of user from the user’s profile in the IDP DataStore. SP will then use the information thus obtained (Assertion) to take further action (like giving access to the user etc.)

There are two ways of getting this done:
(i) SP initiated SSO
(ii) IDP initiated SSO

In simple words, in a SP initiated SSO, the user contacts the Service Provider, who in turns gets in touch with the Identity Provider, who would validate the user credentials and then exchange a piece of information (Assertion) that could contain the user attributes to the Service Provider. Whereas a IDP initiated SSO, the IDP will authenticate the user, and would then send an unsolicited message (Assertion) to the SP, who would then take further action (like giving access to the user etc.)

The following two illustrations might give a rough idea:

In our story (above in the illustration and below in the video), a user authenticates against ForgeRock OpenAM (IDP), who will send then an assertion (containing user’s mail and employeenumber attribute) to ForgeRock OpenIG (Service Provider), who will apply filters (like extracting the attributes from assertion and posting it as username and password) to post the user’s credentials to a protected application (Minimal HTTP Server)

If you’ve got a vague picture on what’s discussed above, I’d believe it’ll be clearer after watching the video below:

Enjoy!

This blog post was first published @ identityrelationshipmanagement.blogspot.co.uk, included here with permission.

IoT and smart device style use cases, often require the need to authorize a device to act on behalf of a user.  A common example is things like smart TV’s, home appliances or wearables, that are powerful enough to communicate over HTTPS, and will often access services and APIs on the end user’s behalf.

How can that be done securely, without sharing credentials?  Well, OAuth2 can come to the rescue. Whilst not part of the ratified standard, many of the OAuth2 IETF drafts, describe how this could be acheived using what’s known as the “Device Flow”  This flow leverages the same components of the other OAuth2 flows, with a few subtle differences.

Firstly, the device is generally not known to have a great UI, that can handle decent human interaction – such as logging in or authorizing a consent request.  So, the consenting aspect, needs to be handled on a different device, that does have standard UI capabilities.  The concept, is to have the device trigger a request, before passing the authorization process off to the end user on a different device – basically accessing a URL to “authorize and pair” the device.

Once authorized, the device can then call the ../oauth2/device/token? endpoint with the necessary client credentials and device_code, to receive the access and refresh token payload – or OpenID Connect JWT token as well.

The device can then start accessing resources on the users behalf – until the user revokes the bearer token.

NB – this OAuth2 flow is only available in the nightly OpenAM 13.0 build.

DeviceEmulator code that tests the flows is available here.

This blog post was first published @ www.fedji.com, included here with permission.

If you experience Deja Vu by looking at the illustration just below, chances are that you’ve hit my blogs before, in particular on this entry, where we looked at ForgeRock OpenAM as an Identity Provider and ForgeRock OpenIG as a Service Provider.

A friend asked me if I could demonstrate a very simple configuration of Federation using two ForgeRock OpenAM instances, one acting as an Identity Provider (a.k.a IDP) and another one taking up the role of a Service Provider (a.k.a SP). It wasn’t difficult to do one, so here we have it embedded towards the end of this post.

So what do we have here:

– A Circle of Trust which has two OpenAM instances, one of which acting as an Identity Provider and another one as Service Provider
– User always authenticates against the Identity Provider
– The authentication process is intiated either by the IDP (known as IDP initiated SSO) or by the SP (SP initiated SSO)
– Once the user is authenticated successfully, IDP sends across a piece of security information to the SP (known as assertion) that could contain user attributes
– SP then gives the user access to protected resources

In the demonstration that follows, because ‘Auto Federation’ is not enabled, during the first login the user will be prompted for credentials both by the IDP and the SP. Once the account linking is done, it’s only the IDP who would challenge the user.

If the illustration and the briefing above hasn’t given you the complete picture, the video below might give a better one.

Enjoy!

This blog post was first published @ www.fedji.com, included here with permission.

The video demonstration embedded below this write-up is dangerously similar to the video here , published more than three months ago. I’ve had challenges making this one though, which is when my colleagues Jon Knight and Albert Ayoub stepped forward to lend a helping hand. So if you ready, let’s see how ForgeRock OpenAM lets a user authenticate against his/her Facebook account to gain access to OpenAM (read applications protected by OpenAM).

Enjoy!

There is a very useful article around this right here.

This blog post was first published @ www.fedji.com, included here with permission.

I had left a task unfinished yesterday. When I published my previous post on to my little space in the blogosphere, I kept aside a crucial piece of information. If you haven’t read/viewed my earlier blog on ForgeRock OpenAM Social Authentication (Facebook) Using OAuth2 and don’t know how to configure OAuth2 Authentication Module in ForgeRock OpenAM, I’d request you to first take a look at it.

And now here’s the missing thread: in the last video, we authenticated the OpenAM users against their Facebook Account, but then they had their profile available in the OpenAM Identity Repository as well, which only meant that on Successful Authentication with Facebook, if the users did not have their profile in OpenAM, they were not let in. We take a different stand this time around allowing in even those users without an OpenAM profile, by having OpenAM provision their accounts in its Identity Repository using the attributes returned by Facebook on successful authentication.

Enjoy!