Tagged: Federation AM
September 3, 2020 at 3:51 pm #28254
I am newbie to ForgeRock & using version6.
Primarly we are using ODIC/OAuth capabilities of ForgeRock AM & could validate token validation scenarios for our microservice project.
As part of our project we want to establish Federation between IDCS(Oracle Identity Cloud Service) & ForgeRock to verify identity propagation from IDCS to ForgeRock.
As per my understanding IDCS will be Identity provider & ForgeRock will be Service Provider for this use case.
Can you please share any references(links,blogs etc) similar to this use case if not with idcs with any other IDM & ForgeRock.
PraveenSeptember 3, 2020 at 5:31 pm #28255
If I understand your use case correctly, you have a Microservice protected using ForgeRock AM solution via OAuth2 and OIDC Federation protocols. You also have a set of users hosted within Oracle’s IDCS solution, and you would like those users to have access to your Microservice?
Suggestion 1: Since I have little information on your Identity infrastructure and how and what IDCS is actually serving – one high-level suggestion is to have IDCS token transformed into AM token. For example, x.509 token provided by IDCS and transforming that into OIDC. For this look into using Security Token Service (STS).
Suggestion 2: Other suggestion is to have these users ingested into ForgeRock Identity Platform via IDM (Connectors and Mappings) and have those users further managed using IDM. You can configure sync mappings within IDM such that if it updates an IDCS user, it replicates the data to ForgeRock Identity Platform. Using this approach, those users can seamlessly login via AM into your Microservice.
Hope this helps.September 4, 2020 at 5:34 pm #28256
Thanks for the inputs.
The usecase is as below.
Microservice A is secured with IDM A(Oracle IDCS) & Microservice B is secured with IDM B(ForgeRock).
Both the Microservices are secured using OIDC/OAuth support available in IDCS & ForgeRock.
Now when Microservice A wants to invoke a REST Service in Microservice B with the token fetched from IDCS(IDM of Microservice A).
Microservice B should be able to validate the token(IDCS originated) against ForgeRock.
To support this usecase we wanted to establish Federation between IDCS(as IDP) & ForgeRock(as SP).
Please let me know if we are heading in correct direction.
PraveenSeptember 8, 2020 at 3:55 am #28257
Yes, the problem of federation between two different IDPs from two different domains can be solved using “Brokered Authentication” pattern using STS as suggested above. In layman terms, you want to:
* validate the OIDC token issued by IDP A;
* if valid, transform (using STS) that token into a new token in IDP B;
* the new token can then be consumed by your Microservice B.
NOTE: user will not have to relogin in IDP B using the above solution.
And token validation can be done by setting up “OpenID Connect id_token bearer” authentication module and configured within your STS for usage.
Hope this helps!September 9, 2020 at 6:17 pm #28258
Thanks Jatinder for the pointers.Can you please share any references/blogs to setup STS in ForgeRock if available.
PraveenSeptember 9, 2020 at 9:25 pm #28259
At this time, I can only suggest the below backstage documents:
OpenID Connect id_token bearer Module: https://backstage.forgerock.com/docs/am/6/authentication-guide/index.html#oidc-module-conf-hints
P.S I plan publish an article (+video) on STS in the coming weeks. I’ll update this thread when it’s online.September 10, 2020 at 6:31 am #28263
PraveenOctober 6, 2020 at 8:05 am #28314
Sorry for bothering you.Can you please share the article[blog]/+video on STS if its avaialble.
We have reached a stage where we might need this solution to be uptaken.
PraveenOctober 6, 2020 at 10:01 pm #28317
I am never bothered on this forum :) In fact, I love getting bothered. More the merrier :)
As mentioned earlier, I am not aware of any article/video other than what is already discussed in the AM documentation. That said, we could discuss this one-on-one and see if that helps. You can reach me at [email protected].
You must be logged in to reply to this topic.