This topic has 4 replies, 3 voices, and was last updated 6 years, 1 month ago by Kim Daniel Engebretsen.

  • Author
  • #4502

    Hello, I am completely new to ForgeRock and its Open* products so forgive my ignorance (and lack of search results on the topic), but I was wondering if anyone out there has had any experience with architecting any of the OpenIDM/AM products for multi-tenancy?

    I have experience working with Oracle IAMS, where we support multitenancy at the directory store level using different Os or OUs for the tenants.

    I’d like to hear from anyone who’s working on or has implemented MT using OpenIDM – thanks!

     Rogerio Rondini


    OpenIDM has “Managed Objects”, which represents the identity-related data managed by OpenIDM. Default deployment has “managed/user”, “managed/groups”, and “managed/roles” Manager Objects.

    For MT, you could create your own Managed Objects. For example:

    It is important to note the OpenIDM has a flexible data model which can easily customized to best fit your MT requirement.

    Rogerio Rondini


    Thank you Rogerio for pointing this out. I have not had a chance to properly go through all the resources here, but what I’m struggling to find is information on security. It’s one thing for the data model to support MT through these managed objects, but how does one ensure one managed access (tenant) does not have access to another managed object?

    I’m looking to allow tenants to both administer and manage themselves. RBAC is one way to do this, but is the security model flexible enough in Open(AM or IDM) to support a single multi-tenant deployment of these products?

    Thank you

     Rogerio Rondini

    So.. In OpenIDM you will need to configure Security Policies. I believe you can define Roles to grant/deny access on each managed object End Points.

    Something like…

                "pattern"   : "managed/user/*",
                "roles"     : "openidm-admin",
                "methods"   : "*", // default to all methods allowed
                "actions"   : "*", // default to all actions allowed
                "customAuthz" : "disallowQueryExpression()",

    For OpenAM, the MT is implemented through Realms. Once a user is authenticated in a particular Realm, he just have access on that Realm. If he try to access resources on another Realm, OpenAM will ask to user be authenticated again on the Realm he is trying to access.


    When one is using both OpenIDM and OpenAM, shouldn’t there be a way to use only the access controls in one of them?
    I have made OpenIDM use OpenAM proxy for authentication, but if one also could use OpenAM for authorization, one would not need to implement the security model twice (in different syntaxes).

    If there is not a way to do this today, is there a roadmap for getting there?

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?