October 17, 2018 at 1:27 pm #23502
I’ve just got integration between IDM and AM going, and I wanted to be able to embed some REST calls to IDM in our company Intranet portal to pull back some JSON data from IDM and render it on the Intranet.
I found this paragraph of the Integration guide:
The use case is when you need to integrate IDM endpoints behind the scenes within other applications, such as with a company intranet portal. In that configuration, users would log into AM to access the portal; at that point, their sessions would use the AM SSO cookie, also known as iPlanetDirectoryPro. For more information, see the AM Authentication and Single Sign-On Guide to Session Cookies.
When I first read it, I thought this is exactly my use case, integrating with a company intranet portal. But looking into it further it doesn’t look like you can just pass an AM session cookie to IDM and get a response, it looks like there is an elaborate OAuth 2 dance that has to take place.
Does anyone know how feasible it is to embed calls to IDM on an intranet assuming that CORS is setup correctly? Are there any examples of what I’d need to do to be able to call IDM using an AM session?October 17, 2018 at 2:53 pm #23503Bill NelsonParticipant
IDM’s delegation of authentication uses OAuth2, not session cookies. I don’t know if I agree with it being an “elaborate OAuth 2 dance” as the flow that you go through is roughly the same as used with session cookies (what I call the ‘dance of the cookie fairies’).
If you don’t want to embed usernames/passwords in your portal (smart man), then there are other options that can be used. See https://backstage.forgerock.com/docs/idm/6/integrators-guide/#openidm-authentication for a full list of authentication (“authn”) options.
Assuming that you have already authenticated into your company portal, then one relatively easy option you could use is that of the TRUSTED_ATTRIBUTE authn module. You could pass a header attribute via the portal to IDM which can then be used to perform a lookup of the user in IDM for authn purposes. This works well when you force traffic through reverse proxies, OpenIG, or in your case, a portal. You should take care, however, to ensure that traffic cannot be intercepted and someone can inject their own headers. I have used this in a couple of use cases where the RP is installed with another vendor’s SSO solution (i.e. SiteMinder). The RP ensures that the user is authenticated and then populates a header with the identity of the user. One drawback to this option is that you need to build a new servlet filter bundle (instructions found here: https://backstage.forgerock.com/docs/idm/6/samples-guide/index.html#chap-trusted-servlet-filter), but ForgeRock gives you the sample code for this. If I can follow the instructions, then anyone can.
If you want a tighter integration within the ForgeRock stack, then using the OAUTH_CLIENT authn module is the best bet. It really is not all that difficult to do, don’t let the instructions found at https://backstage.forgerock.com/docs/idm/6/samples-guide/index.html#chap-full-stack concern you as they include installation instructions for AM as well. If you already have AM up and running, then you simply need to configure OpenID connect for authn, configure the OAuth2 service in AM, and enable/configure the OAUTH_CLIENT in IDM. The entire process takes roughly 30 minutes to perform and is even a lab in the latest IDM-400 training class from ForgeRock.
There are other “more creative” methods that can be used, but these are the two that I would start with.
Hope this helps,
billOctober 17, 2018 at 7:37 pm #23504Jake FeaselModerator
You might find it easier to make those REST calls if you setup IG to protect IDM, as I describe in this post: https://forum.forgerock.com/2018/08/using-ig-protect-idm-secure-standards-based-integration/
This way, you can use an access_token obtained from AM (using whichever flow is appropriate, possibly auth code or client credentials) to access your IDM endpoints.October 18, 2018 at 12:39 pm #23510
Hi Bill, I already have that full stack setup configured, it took about 3 days for me though because I had to upgrade from OpenAM 13.5 first, as it didn’t quite support OpenID Connect in the way that IDM 5.5/6 needed.
IDM isn’t really behind the portal per-se, so the trusted authentication module is not really an option. I
Is there a different OAuth flow I should be using for my use case? Or would I just follow what it does to login to the IDM UI? One thing I can’t quite figure out is how the 5-second session timeout works with IDM. I’ve noticed when I open up the IDM console and click around it works fine, but if I call one of the REST endpoints via GET in the browser, then after 5 seconds it gives me an authentication error. So I guess that means there is something that needs to be done to keep the session active?
But yes, I do agree that with Jake that putting IDM behind IG does seem a lot easier, however, unfortunately, the client hasn’t purchased IG just yet, there hasn’t been a use case for it until now.October 18, 2018 at 2:55 pm #23513
Jake, if I’m calling IDM from a single page app, should I be using the Implicit auth flow? Would it work or does the “Forgerock identity provider” integration not really let me do what I’m after?
You must be logged in to reply to this topic.