Using a Web Service as the Datastore

This topic contains 8 replies, has 6 voices, and was last updated by  sromero 10 months, 1 week ago.

  • Author
  • #16083


    Instead of using MySql or LDAP as the datastore, I’m doing a POC on hooking up OpenAM with a web service that provides REST APIs to do CRUD operations to the DB.

    Is it possible do implement this with OpenAM? If so how to do it?

    Thanks in advance :)

     Scott Heger 

    Looks like you are trying to build a custom Identity Repository Plugin. Start here:

    That is assuming you are using OpenAM 13.5. If not, then go to the same section of the Developer’s Guide of the OpenAM version you are using.


    Would it be a custom authentication module( instead of a custom identity repository plugin?

    I would like OpenAM to talk to a web service then let the web service do CRUD to DB, instead of directly hooking up DB with OpenAM.

     Scott Heger 

    It depends. If you are looking to hook into this web service for the purpose of authentication, then yes, build as an authentication module. But, if your realm is set to require user profiles (which is the default setting) then after authentication OpenAm will need to find the user’s profile by way of your data store. If looking up the user profile will require talking to the same web service then you would need a custom Identity Repository Plugin.


    Thanks Scott! Would you help with 3 more questions:

    Does that mean I have to build 2 modules: authentication module and identity repo?

    I am looking into both and .

    So the has process() method and the IdRepo plugin has authenticate() method. Should I call the authenticate() method inside process() method?

    I am also customizing the registration and login page ( The previous link has a section “Procedure 4.2. To Update the Identity Repository For the New Attribute” . How would I update my web service for the new attributes? Or do I have to do anything since all I do is to make HTTP calls to the web service?

    Thanks for your help :)

     Peter Major 

    1) if you want to both authenticate against that webservice and perform user related operations, then you have two choices:
    a) either you implement the authentication in the IdRepo’s authenticate method and use the DataStore authentication module for authentication
    b) or you write both the data store and the auth module

    2) that’s a possibility, but the OOTB provided DataStore auth module does exactly that already.

    3) your custom IdRepo impl does not have to have any restrictions on the usable attribute names, you could leave all that to the web service to sort out.


    I’m also planning to try to build such a ‘webservice identity provider’ but from the (13.0) documentation it is not really clear to me where to specify the class name CustomRepo class during register since ssoadm has no -c option anymore?

    Can you clue me on this. I registered my repo but it is not visible yet in the OpenAM DataStores.

     Peter Major 

    As long as the SubSchema has the name attribute set correctly things should work just fine in my opinion.


    Hi Peter, I have developed a custom data store consuming a Rest API. It is working fine but I can’t see on the UI the sub-schema attributes. I can see them on the LDAP and with the ssoadm show-datastore command but not on the plugin configuration form.

    So what do you mean with “has the name attribute set correctly” ? Can it be an issue with the attribute names ? Is there any documentation I can check to understand that ?

    Thanks in advance.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?