A Beginners Guide to OpenIDM – Part 1

Introducing OpenIDM

This is the first in a series of blogs aiming to demystify OpenIDM, the Identity Management component of the ForgeRock platform.

I have actually been really impressed with OpenIDM and how much you can accomplish with it in a short time. It is fair to say though that if you are used to more traditional IDM technologies such as Oracle Identity Manager then it can take a bit of time to get your head around how OpenIDM works and how to get things done.

In the first of this series of blogs I want to walkthrough a basic installation of OpenIDM, look at the architecture of the product and how everything fits together.


OpenIDM is primarily concerned with the following functionality:
  • Objects and relationships: Quickly modelling complex objects, schemas and the relationships between them, e.g. for users, devices and things and exposing them as RESTful resources.
  • Data Synchronization: Moving data to and from systems such as Active Directory, databases, webservices and others, makes use of connectors and mappings to:
    • Create and update users and accounts in target systems i.e. pushing data to target systems from OpenIDM.
    • Reconcile users and accounts from target systems i.e. pulling data into OpenIDM from target systems.
    • Move data about users, devices and things to and from any other system.
  • Workflow Engine: processes such as request and approval of access to resources and much more.
  • Self Service: Enabling end users to easily and securely register accounts, retrieve forgotten passwords and manage their profiles.
  • Task Scheduling: Automating certain processes to run periodically.
All of this is built upon a consistent set of REST APIs with numerous hooks throughout the platform for scripting behaviors using Groovy or javascript.
OpenIDM also makes use of a data store into which it reads and writes:
  • Data for users, devices and things: e.g. actual user account data such as first_name=Wayne, last_name=Blacklock for all objects that OpenIDM is managing.
  • Linked account data: “Mirrored data” for the systems that OpenIDM has been integrated with. This enables you to view and manipulate all of a users account data across all systems from OpenIDM.
  • Various pieces of state relating to workflow, scheduling and other functionality.
Finally, all of the OpenIDM’s config is stored as .json files locally per deployment.

Logical Architecture

The diagram below aims to give you a bit of an overview of how OpenIDM fits together. We will explore each major component in detail with worked examples over the next few months.

Getting Started

This blog series is intended to be a practical introduction to OpenIDM so the first thing we need to do is download and install it from here:
Note: For now we are going to use the embedded OpenIDM OrientDB database, rather than install an external database. The OrientDB database ships with OpenIDM and is ready to go right from the start however please note it is not suitable for production deployments. We will cover the usage of another database for enterprise deployments later in the series.
Download and unzip OpenIDM to a directory. Make sure you have Java installed, configured and available from the command line.
To start up OpenIDM simply type:


That’s it! By default OpenIDM runs on port 8080. You can them navigate to the interfaces at:

You’ll note both pages look similar, but one is for users and one is for admins.

The default username and password for the administrator is openidm-admin / openidm-admin.

Log into the administrator interface, once you have logged in you should see the dashboard:

Over the rest of this series we will explore the functionality of OpenIDM in detail.


Comments are closed.

  1. SBMittal 6 years ago

    This is a great post Wayne! Thanks for this initiative

    Is there any way one can subscribe for this series?


  2. Author
    Wayne Blacklock 6 years ago

    Hi. Thanks very much for the feedback. Good question. I have added a Subscription link to the blog:


    If there is a better way please let me know but I think that should work. Likewise if there is anything you want me to cover please again let me know. Thanks!

  3. wilslm 6 years ago

    ‘Self Service: Enabling end users to easily and securely register accounts, retrieve forgotten passwords and manage their profiles.’

    Assuming the user logon is created by SuperAdmin, how does Open IDM send the initial password to the user? Do we have a sample use cases that are supported out of the box from Open IDM?

  4. Exploring_Singh 6 years ago

    Hi All,

    As i am new to Forgerock, My silly question is why we are not able to authenticate using openidm ?

  5. Thank You

  6. alvin 6 years ago


©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?