Create Custom Pages for User Management in OpenAM

This topic has 3 replies, 3 voices, and was last updated 7 years, 1 month ago by Rogerio Rondini.

  • Author
    Posts
  • #4147
     Manchanda, P
    Participant

    Respected OpenAM Experts,

    My query is related to creating a User Management Application using OpenAM as a back end. We are planning to use OpenAM with OpenDJ as data store for our authentication needs. OpenAM provides limited user management capabilities, at least from UI perspective. So, our thought process is to create our own UI and use OpenAM as the back end. Our requirements for user management are pretty simple:

    • User life cycle mgt (create, disable, delete, update)
    • Password policies – at realm level and user level (Please note that we would be having multiple realms)
    • Password reset – using the security questions based flow. We don’t want to use the OpenAM feature that sends out a mail with password reset link. We want this feature to be available on the UI

    So, my queries are:

    • Where should my UI pages exist. As a separate web app or with the openAM’ war
    • Is the option of putting custom pages in OpenAM’s war recommended. I was not able to find any documentation related to it. What are the best practices for this e.g. directory structure, coding guidelines etc
    • Should my UI go against the OpenAM APIs or OpenDJ APIs.
    • If I go against the OpenAM APIs can I add custom attributes to my entities e.g. realm, user
    • If I go against the OpenDJ APIs, how will the custom attributes play when OpenAM handles the user authentication
    • Based on my analysis of ForgeRock Tool Set, I know that OpenIDM is the identity management tool and is recommended for user management. However, due to following reasons I don’t plan to use OpenIDM:

    • Don’t want to introduce another moving part
    • OpenIDM has its own database (RDBMS), so would need a synch mechanism between OpenIDM and OpenAM/OpenDJ. I want to avoid this complexity also

    Thanks and Regards
    P Manchanda

    • This topic was modified 7 years, 3 months ago by Manchanda, P.
    • This topic was modified 7 years, 2 months ago by Marius @ForgeRock. Reason: bullet list format change
    #4202
     Rogério Rondini
    Participant

    Hi,

    Thais is a long question :-)

    First of all, avoid to package another WEB application with OpenAM or inside OpenAM. If you plan to build your own UI, keep it deployed out of OpenAM.
    Yes, you can do all that you need using OpenAM RESTfull services. But keep in mind that OpenAM is not a Identity Management tool, it means that user management is quite limited in OpenAM. Please, loot at http://docs.forgerock.org/en/openam/12.0.0/dev-guide/index/chap-rest.html

    You can add custom attributes on Users just configuring it custom attributes in the OpenAM DataStore. About Realm I think you can’t add custom attributes.

    Also, you can access OpenDJ using Restfull services too. It is very useful regarding that you can have same technology on the client side.

    If you plan to use OpenIDM and build your User Management App on top of that, you will need to configure a simple LDAP connector in OpenIDM to sync between it internal database and OpenDJ.

    Abs.

    #4481
     Manchanda, P
    Participant

    Thanks for the reply. I can leverage the OpenDJ and its REST APIs to create a identity management solution. For this I would need to provide my own UI and introduce custom attributes.

    My query here is how I can get OpenAM recognize these custom attributes. For Example, I define a Password Policy to lock account after 3 failed attempts. I would need a mechanism where in OpenAM would ‘know’ about this policy and lock the account after specified number of attempts.

    What I am trying to understand is that how can I achieve this.

    Thanks and Regards
    P Manchanda

    #4491
     Rogerio Rondini
    Participant

    Hi,

    So… OpenAm authentication relies on a “BIND” operation in the OpenDJ. If account is locked by OpenDJ, it will return a authentication failed error to OpenAM, than OpenAM will throw a exception. If you just configured account lock on the OpenDJ side, is not need to configure in OpenAM side.

    If you want to configure in OpenAM side, you can take a look at http://docs.forgerock.org/en/openam/11.0.0/admin-guide/#configure-account-lockout

    I prefer to avoid configuration in both side.

    At
    Rogerio Rondini

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?