Login into AM fails for IDM self-service user

This topic has 5 replies, 2 voices, and was last updated 2 weeks, 3 days ago by deevodavis.

  • Author
  • #28694

    I’m having an issue that I’m pretty sure is down to mis-configuration, but I’ve struggled for a while and now decided to ask for advice.

    I have setup a local install of OpenDJ DS, AM and IDM on MacOS; all versions are v7.1.0 downloaded from Backstage.

    I believe I’m using a single DS repository as I installed and configured both AM and IDM to specify the remote DS rather than embedded. The reason I believe this is that I can see all the same users that were created in both IDM and AM. New users show up in both lists after a refresh.

    I can create new users using the IDM self-service registration portal (http://openidm.example.com:8080/) and eventually get through OK to the users profile page after filing in security questions etc. that I’ve setup as part of the registration. I can logout and log back in as the user into IDM without issues.

    If I look at the DS in Apache Directory under “ou=People,dc=example,dc=com” I can see all the users listed including the new ones I’ve created.

    If however I try and authenticate as that user into AM (http://openam.example.com:18080/am/oauth2/authorize? …) it fails with an authentication failed error.

    If I locate that same (failing) user in AM under “Identities” and modify the users password (to the exact same value I used before during IDM self-service registration) then I can login to the AM authentication endpoint successfully and get taken to the users profile XUI webpage.

    Another thing I’ve noticed is that after modifying the user in AM I have new additional properties in DS that I can see using Apache Directory Server namely “inetUserStatus=Active” and “userPassword={PBKDF2-HMAC-…”. I’m not sure where the IDM users original password is being stored but it’s obviously not where I’m looking!

    I’ve obviously not set something up correctly and wondered if anyone could point me in the right direction so that I can create a user in IDM, then authenticate using AM in one fell swoop?

    Thanks Steve

    • This topic was modified 2 weeks, 6 days ago by deevodavis.
     Andrew Potter

    There are several ways you could have set this up!
    You may well be pointing both AM and IDM at the same external DS instance, but might be using different branches within the DS for AM and IDM data, then using IDM sync.
    Do you have a sync.json file in your IDM ‘conf’ directory?

    Or if you’re using the same branch then you should definitely have followed this guide to configure the ‘shared identity store’ and also deployed the platform UIs: https://backstage.forgerock.com/docs/platform/7.1/platform-setup-guide/

    But, probably the easiest way to get a local environment to play with is use the Minikube version of the CDK described here: https://backstage.forgerock.com/docs/forgeops/7.1/index.html
    This deploys AM/IDM/DS in shared repo and deploys the platform UIs.


    Thanks for your reply Andrew.

    I think I may have been overly naive / optimistic in my initial installation !!

    This morning I’ve been through a setup of a Shared Identity Store Deployment (the same as you linked above) and it all seems to be running as expected now.

    Thanks again, Steve

    PS. Whilst it’s working OK in that I can register and then login as that user, I’m a little confused as to the new Platform UI. It’s obviously got a lot of overlap with the original ‘Native Consoles’ but when I look at the ‘Configure > User Registration’ option of the OpenIDM native console it’s disabled (yet clearly there is a user registration service available) and if I enable it and then navigate away, it doesn’t stay enabled. I’m guessing that the new platform uses the ‘Journeys’ only now (the old Authentication trees)?


    Answering my own question … it does seem that the latest version 7.1 manages some bits in the new Platform Admin and some bits in the native consoles, reference : https://backstage.forgerock.com/docs/platform/7.1/platform-setup-guide/#migrate-from-full-stack

     Andrew Potter

    Yes, you’re correct. The Platform Admin is new in v7 and designed to provide a consolidated admin experience across different component products. It doesn’t currently do everything the native admin UIs do – but that’s the direction of travel.
    And yes, in ‘platform’ configuration, use Journeys to manage the self-service capabilities (rather than IDM’s self-service ‘stages’ that you’d typically use in ‘standalone’ configuration).

    Also note there is, specifically, a Platform Enduser UI for use when the products are deployed in this ‘platform’ configuration. If you deploy the components in standalone manner then you’d use the IDM Enduser UI instead.


    Thanks Andrew. I’m finding my way through things, but as some configuration items are still visible and modifiable in the native UI, but either don’t save (e.g. they reset after you navigate away in the UI) or do seem to save but have no effect at runtime, I’m finding it a little confusing at present. I’m getting there though! Thanks for the support.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?