Self service on boarding of applications to OpenAM

This topic has 6 replies, 3 voices, and was last updated 1 week, 4 days ago by suresh_a5.

  • Author
  • #28201

    I am looking for a self service integration of applications to openAM. The applications currently are web based, mainframe, thick client and vendor products outside the organization network. The applications are lined up for SAML and OpenID integration with openAM. The current process takes time for application to do feasibility and onboarding them to central OpenAm. Considering the high volume of apps in the estate, any suggestions on to improve the quality of service and quicker on boarding by self service by the application teams or centrally creating a service at openam which can be called up different application teams


    For OAuth2 + OpenID, I would suggest to look into Dynamic Client Registration which is defined as part of the OpenID spec and supported out of the box. For SAML2 and in my knowledge, the spec does not define such registration/integration. That said, AM does provide REST API /realm-config/federation that one can use to query and may be set-up Entity Providers and COT.


    I am looking for operationalizing smarter and quicker on boarding of applications with a scalable model for integrating to OpenAM. Any pointers to strategize onboarding would help. At the moment apps are evaluating POC to confirm the approach of SAML or OpenID, followed by development of use cases related to single sign on journey, followed by integration and user testing before they cut over to production. Considering each app will have multiple URL covering multi countries it takes longer time to complete the application rollout completely. Hence the need arises to strengthen and strategize a model which will give a self based model for the app team to build, test and run in production seamlessly faster and quicker


    IMHO it’s a loaded question with a lot of unknowns. If you have a lot of apps – IMHO it would be nice to publish some sort of an onboarding Registration and Discovery Service through which clients can fulfill registration requirements without requiring an AM administrator and learn supported features. For example, a mobile app would follow the OpenID Connect workflow for registration, whereas, a legacy web based app may decided to follow SAML2 workflow. Since each app is responsible for registering themselves, the onus is on them to provide the correct set of URLs e.g. redirect_uri or ACS urls, etc. This is essentially automating the registration process and a super high-level design. Some questions you will need to address – how do you trust a client/app, internal app/client vs. external, firewalls, proxies, internal vs. external users, etc.

    IMO such a solution design is doable using IG but will need to be discussed in-depth to ensure all scenarios are covered.

    I hope this provides you with some ideas and open floor for further discussion. Thanks.


    Thanks . Is there any references or documents on such design on registration using IG. Are there any case study on large scale onboarding of applications done, which relatively eases and fasten the on-boarding time


    I am not aware of any direct documentation to this solution. The reason I brought up Identity Gateway (IG) – is because the component in discussion which does the registration and provides discovery service will need to communicate with AM over REST. As part of this solution one may need to perform tasks like – Encryption/Decryption, usage of Keystore API, Transform Requests/Responses, Read/Write JWTs, Create HTML, Authenticate with AM, Proxy AM discovery documents like OpenID or JWK_URI, etc. And IG being built on the RP model and with many out of the box filters, IMHO it’s a good fit for such tasks.

    And please note this is one suggestion that comes to mind and I would love to hear from the community for any other possible solutions/or ideas around this problem.



    Jatinder, thanks for your input

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?