Tagged: 

This topic has 8 replies, 2 voices, and was last updated 1 month, 3 weeks ago by Jatinder Singh.

  • Author
    Posts
  • #28254
     praveenpasi
    Participant

    Hi,
    I am newbie to ForgeRock & using version6.
    Primarly we are using ODIC/OAuth capabilities of ForgeRock AM & could validate token validation scenarios for our microservice project.

    As part of our project we want to establish Federation between IDCS(Oracle Identity Cloud Service) & ForgeRock to verify identity propagation from IDCS to ForgeRock.
    As per my understanding IDCS will be Identity provider & ForgeRock will be Service Provider for this use case.
    Can you please share any references(links,blogs etc) similar to this use case if not with idcs with any other IDM & ForgeRock.

    Regards,
    Praveen

    #28255
     Jatinder Singh
    Participant

    If I understand your use case correctly, you have a Microservice protected using ForgeRock AM solution via OAuth2 and OIDC Federation protocols. You also have a set of users hosted within Oracle’s IDCS solution, and you would like those users to have access to your Microservice?

    Suggestion 1: Since I have little information on your Identity infrastructure and how and what IDCS is actually serving – one high-level suggestion is to have IDCS token transformed into AM token. For example, x.509 token provided by IDCS and transforming that into OIDC. For this look into using Security Token Service (STS).

    Suggestion 2: Other suggestion is to have these users ingested into ForgeRock Identity Platform via IDM (Connectors and Mappings) and have those users further managed using IDM. You can configure sync mappings within IDM such that if it updates an IDCS user, it replicates the data to ForgeRock Identity Platform. Using this approach, those users can seamlessly login via AM into your Microservice.

    Hope this helps.

    #28256
     praveenpasi
    Participant

    Hi,
    Thanks for the inputs.
    The usecase is as below.
    Microservice A is secured with IDM A(Oracle IDCS) & Microservice B is secured with IDM B(ForgeRock).
    Both the Microservices are secured using OIDC/OAuth support available in IDCS & ForgeRock.

    Now when Microservice A wants to invoke a REST Service in Microservice B with the token fetched from IDCS(IDM of Microservice A).
    Microservice B should be able to validate the token(IDCS originated) against ForgeRock.

    To support this usecase we wanted to establish Federation between IDCS(as IDP) & ForgeRock(as SP).

    Please let me know if we are heading in correct direction.

    Thanks,
    Praveen

    #28257
     Jatinder Singh
    Participant

    Yes, the problem of federation between two different IDPs from two different domains can be solved using “Brokered Authentication” pattern using STS as suggested above. In layman terms, you want to:

    * validate the OIDC token issued by IDP A;
    * if valid, transform (using STS) that token into a new token in IDP B;
    * the new token can then be consumed by your Microservice B.

    NOTE: user will not have to relogin in IDP B using the above solution.

    And token validation can be done by setting up “OpenID Connect id_token bearer” authentication module and configured within your STS for usage.

    Hope this helps!

    #28258
     praveenpasi
    Participant

    Thanks Jatinder for the pointers.Can you please share any references/blogs to setup STS in ForgeRock if available.

    Thanks Again,
    Praveen

    #28259
     Jatinder Singh
    Participant

    At this time, I can only suggest the below backstage documents:

    STS: https://backstage.forgerock.com/docs/am/6/sts-guide/
    OpenID Connect id_token bearer Module: https://backstage.forgerock.com/docs/am/6/authentication-guide/index.html#oidc-module-conf-hints

    P.S I plan publish an article (+video) on STS in the coming weeks. I’ll update this thread when it’s online.

    #28263
     praveenpasi
    Participant

    Thanks Jatinder.

    Regards,
    Praveen

    #28314
     praveenpasi
    Participant

    Hi Jatinder,
    Sorry for bothering you.Can you please share the article[blog]/+video on STS if its avaialble.
    We have reached a stage where we might need this solution to be uptaken.

    Regards,
    Praveen

    #28317
     Jatinder Singh
    Participant

    I am never bothered on this forum :) In fact, I love getting bothered. More the merrier :)

    As mentioned earlier, I am not aware of any article/video other than what is already discussed in the AM documentation. That said, we could discuss this one-on-one and see if that helps. You can reach me at [email protected].

    Thanks,
    Jatinder

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?