Post on 19-Jan-2017
Copyright © 2015 ForgeRock, all rights reserved. 1
Extend The Power of The ForgeRock Identity Platform
Through Scripting
Javed Shah, Senior Sales EngineerAnders Askåsen, Senior Technical Product Manager
October 27th, 2015
Copyright © 2015 ForgeRock, all rights reserved. 2
Fastest-growing Open Source Identity Security Software company in the world
Our Investors: Our Origins:
ForgeRock
• Founded 2010 with high double digit growth every year since inception
• Over 300 full time employees
• Over 400 customers
• Active in over 30 countries
• Locations: San Francisco, Vancouver (US), Bristol (UK), London (UK), Grenoble (F), Oslo, Singapore,Düsseldorf (D)
Award winning platform drivinginnovation worldwide
• Gold winner of the CEO World awards 2014
• Silver Winner in the 6th Annual GoldenBridge Award 2014
• Silver winner for the Fastest-Growing Company of the Year in 2014
• Best in Biz Awards 2014
Copyright © 2015 ForgeRock, all rights reserved. 3
Extensible Software
“As companies get serious about digital transformation,we see investments shifting toward extensible software platforms
used to build and managea differentiated customer experience.”
Source (March 2015):http://blogs.forrester.com/michael_yamnitsky/15-03-31-modern_software_platforms_are_in_hypergrowth
Copyright © 2015 ForgeRock, all rights reserved. 4
The Platform
Copyright © 2015 ForgeRock, all rights reserved. 5
The ForgeRock Identity Platform
(Identity Management) (Access Management)
(Directory Services) (Identity Gateway)
Copyright © 2015 ForgeRock, all rights reserved. 6
Unified Platform
Web Services Security
Session Management Synchronization Auditing
LDAPv3 REST/JSON
Replication Access Control
Schema Management
Caching
Auditing
Monitoring
Groups
Password Policy
Active Directory Synch
Reporting
Authentication Authorization Provisioning Password Management Authentication OpenID Connect
Federation Entitlements Workflow Engine Reconciliation Password Replay OAuth2
Adaptive Risk Single Sign-on Registration Role Provisioning Message
Transformation SAML2
Throttling Scripting
Com
mon
RES
T A
PI
Com
mon
Use
r Int
erfa
ce
Single Integrated, Open Platform
Copyright © 2015 ForgeRock, all rights reserved. 7
Deployment & Config
Copyright © 2015 ForgeRock, all rights reserved. 8
Deployment & Config#!/bin/sh
URL="http://openam.example.com:8080”
AM="${URL}/openam”
AUTHN="${AM}/identity/authenticate”
TOK=`curl -s -k --request POST --data "username=amadmin&password=cangetinam" $AUTHN | cut -f2 -d=`
echo "=> OpenAM Token: ${TOK}" ; echo ""
# --data @body.json
Copyright © 2015 ForgeRock, all rights reserved. 9
Deployment & Configcurl --request POST --header "iplanetDirectoryPro: ${TOK}” --header "Content-Type: application/json” --data \
'{"client_id":["mobile"],
"realm":["/"],
"userpassword":["password"],
"com.forgerock.openam.oauth2provider.clientType":["Confidential"],
"com.forgerock.openam.oauth2provider.redirectionURIs":
["'"${URL}/oauth2/oauth2.htm"'","'"${URL}/oIDc/openidc.htm"'"],
"com.forgerock.openam.oauth2provider.scopes":["cn|Name","mail|Email","openid","profile"],
"com.forgerock.openam.oauth2provider.defaultScopes":["cn"],
"com.forgerock.openam.oauth2provider.responseTypes":["code","token","id_token","code token","token id_token","code id_token","code token id_token"],
"com.forgerock.openam.oauth2provider.idTokenSignedResponseAlg":["HS256"],
"com.forgerock.openam.oauth2provider.name":["Test Client"],
"com.forgerock.openam.oauth2provider.description":["OIDC 1.0 Client"]
}' \
${AM}/frrest/oauth2/client/?_action=create
Copyright © 2015 ForgeRock, all rights reserved. 10
Scripting in OpenIDM
Copyright © 2015 ForgeRock, all rights reserved. 11
Scripted Connectors•Scripted Groovy Connector Implementations
–Scripted SQL–Scripted REST–Scripted CREST–Scripted Azure
•Samples provided!
•Microsoft Integration – The Scripted PowerShell Connector•Samples provided illustrating Active Directory
Copyright © 2015 ForgeRock, all rights reserved. 12
OpenIDM Servicesopenidm.create("managed/user", bjensen, map);openidm.patch("managed/user/" + user._id, null, [{"operation" : "replace", "field" : "/password", "value": "Passw0rd"}]);openidm.read("managed/user/"+userId);openidm.update('managed/user/' + source._id, null, user_read);openidm.delete('managed/user/'+ user._id, user._rev);openidm.query("managed/user", { "_queryFilter": "/userName sw \"user.1\""}, ["userName", "_id"]);openidm.action('sync', 'performAction', content, params);
Copyright © 2015 ForgeRock, all rights reserved. 13
OpenIDM Servicesopenidm.encrypt(value, cipher, alias);openidm.decrypt(value);openidm.isEncrypted(object);openidm.hash(value, algorithm);
logger.info(string message, object... params); logger.debug(string message, object... params);logger.error(string message, object... params);logger.trace(string message, object... params);logger.warn(string message, object... params);
Copyright © 2015 ForgeRock, all rights reserved. 14
Where can scripts be triggered?•Scripts in Mappings (conf/sync.json)
•Triggered by situationon (onCreate, onUpdate, onDelete, onLink, onUnlink)•Object filter (validSource, validTarget)•Correlating objects (correlationQuery, correlationScript)•Any reconciliation•Scripts inside properties
•Scripts called in the managed object configuration (conf/managed.json) file
•onCreate, onRead, onUpdate, onDelete, onValidate, onRetrieve, onStore, onSync, postCreate, postUpdate, and postDelete
Copyright © 2015 ForgeRock, all rights reserved. 15
Where can scripts be triggered?• Scripts called in the router configuration (conf/router.json)
fileonRequest, onResponse, onFailure
• Scripted ConnectorsScripted SQL
Scripted Groovy
Scripted REST/CREST
Scripted SAP
Scripted SSH
Scripted PowerShell
Copyright © 2015 ForgeRock, all rights reserved. 16
Scripting in OpenAM
http://openam.forgerock.org/doc/bootstrap/dev-guide/index.html#chap-scriptingDraft documentation
Copyright © 2015 ForgeRock, all rights reserved. 17
Overview• Script Design and Workflow in OpenAM• Device Registration and Authentication
–A more standard way of using the Scripting Framework–Demo
• The Scripting API–Useful in geo fencing using reverse geocode lookup–Useful for policy or role-based authentication–Demo
Copyright © 2015 ForgeRock, all rights reserved. 18
Scripting Design – The Client Side Script
•Authentication modules can use Client Side scripts and Server Side scripts (JavaScript or Groovy)•The use of a Client Side script is optional•Used as a data collection mechanism
– Geo location / Fonts / Screen resolution / Timezone– Browser Plugins
•Returns collected data in: clientScriptOutputData–A string you could .split() to pull all client-side data
Copyright © 2015 ForgeRock, all rights reserved. 19
The Client Side Script
Copyright © 2015 ForgeRock, all rights reserved. 20
Scripting Design – The Server Side Script
•Handles Authentication•Has access to:
–clientScriptOutputData (sent by the client script)–Scripting API
•Must set the authentication state to–SUCCESS or–FAILED
Copyright © 2015 ForgeRock, all rights reserved. 21
The Server Side Script
Copyright © 2015 ForgeRock, all rights reserved. 22
Device Registration and Authentication in OpenAM
Copyright © 2015 ForgeRock, all rights reserved. 23
Device Authentication
Copyright © 2015 ForgeRock, all rights reserved. 24
Device Authentication
Copyright © 2015 ForgeRock, all rights reserved. 25
Device Authentication
Copyright © 2015 ForgeRock, all rights reserved. 26
Device Id (Match)•Predefined scripts in OpenAM:
–Client side script–Server side script
•Scripts are referenced inside Module instances•Depends on other modules:
–For user identification (Data Store)–Second factor on failure (HOTP)–Device Id Save!
Copyright © 2015 ForgeRock, all rights reserved. 27
Device Id (Match)•Checks different criteria using Client Side Script
–User agents–Installed fonts–Installed plugins–resolution/color depth associated with a display–time zone, geo location
•Adds penalty points if one criteria is missed•Checks sum of penalty points against a threshold
Copyright © 2015 ForgeRock, all rights reserved. 28
Device Id (Save)•Prompts the user before saving the device profile
–Can be configured to auto save
•Will save the device profiles in the user’s profile– Number of profiles stored can be changed from a default 5
•Authentication chain is usually configured to not reach this module, if the device was recognized by the Device Id (Match) module
–Device Id Match configured as Sufficient ensures processing stops if a profile match was found
Copyright © 2015 ForgeRock, all rights reserved. 29
Demo – Device Fingerprinting
Copyright © 2015 ForgeRock, all rights reserved. 30
Scripted Authentication in OpenAM
Copyright © 2015 ForgeRock, all rights reserved. 31
Scripted Authentication
Copyright © 2015 ForgeRock, all rights reserved. 32
HTTP Commons Framework (coming in OpenAM 13)
•org.forgerock.http.protocol.*–Request / Cookie / Entity / Header / Headers / Response
•org.forgerock.util.promise.*–Promises –A Promise represents the result of an asynchronous task.
•groovy.json.JsonSlurper –JSON parser used in the scripts
•API Documentation–http://commons.forgerock.org/bom/apidocs/index.html
Copyright © 2015 ForgeRock, all rights reserved. 33
Scripting API•Make REST API calls from the Server Side Script!
–Use the new HTTP Commons Framework to make a new Request –httpClient.send(Request), returns a Promise–Promise.get(), returns a Response–Parse the Response using JsonSlurper!
•Accessing Authentication State–OpenAM passes to Server Side script:
•authState, sharedState (contains password also)•username
Copyright © 2015 ForgeRock, all rights reserved. 34
Scripting API•Logging
–logger• error() / message() / warning()
•Accessing Profile Data–idRepository
• getAttribute / setAttribute / addAttribute
•Access the original login request using requestData object–getHeader(name) / getHeaders(name)–getParameter(name) / getParameters(name)
Copyright © 2015 ForgeRock, all rights reserved. 35
Policy Configuration for Demo
Copyright © 2015 ForgeRock, all rights reserved. 36
Scripting DemoAcquire ssoToken using REST
Evaluate policy for the resource “authn/self” and “authn/view”
Copyright © 2015 ForgeRock, all rights reserved. 37
Scripting DemoPolicy decision
Check Policy decision and permit if requested actions ALLOWED
Logout the service account or the user
Copyright © 2015 ForgeRock, all rights reserved. 38
Demo – Scripted Authentication
Copyright © 2015 ForgeRock, all rights reserved. 39
Other Possibilities•Policy condition scripting
–attach a script as a policy condition!
•OIDC Claims data–Scripts that gather and populate the claims in a request when issuing an ID token or making a request to the userinfo endpoint.
Copyright © 2015 ForgeRock, all rights reserved. 40
IDENTITY SUMMIT SERIES 2015: EUROPE
5 NovemberAmsterdam
10 November Düsseldorf
Visit summits.forgerock.com
Copyright © 2015 ForgeRock, all rights reserved. 41
Thank You!
Questions?