Resetting Forgotten Passwords with @ForgeRock #OpenAM

Implementing the “Resetting Forgotten Passwords” functionality as described in the OpenAM Developer’s Guide requires some additional custom code.

It’s pretty straight forward to implement this functionality and can be done in 4 steps (per the Developer’s Guide):

1. Configure the Email Service
2. Perform an HTTP Post with the user’s id
3. OpenAM looks up email address (based on user id) and sends an email with a link to reset the password
4. Intercept the HTTP GET request to this URL when the user clicks the link.

All of this functionality is available out of the box with the exception of #4.  I wrote some really simple javascript that can be deployed to the OpenAM server that will handle this.  This code was written as a proof-of-concept and doesn’t include any data-validation or error handling but that could be added fairly easily.  This script can be deployed to the root directory of your OpenAM deployment.  Just be sure to update the Forgot Password Confirmation Email URL in the OpenAM Console under Configuration > Global > REST Security.

I have made the code available on my GitHub page and you are welcome to use it or modify it.

As described on the README:

• These files are a proof of concept to extend OpenAM’s REST-based password reset functionalit
• Add these two files to your OpenAM deployment root (e.g. /tomcat7/webapps/openam
• Modify the server urls to the appropriate servers in your environmet
• Change the REST Security settings in the OpenAM console (e.g. http://%5BAM server and port]/openam/forgotPassword.jsp)

The file resetPassword.jsp is an optional file that will display a field for the user to provide their id and will then POST to /json/users?_action=forgotPassword (Step #2 from the Developer’s Guide).

Acknowledgements:

Thanks to @Aldaris and @ScottHeger for providing advice while I was working on this.

2014 IDM Conference Season Planning

Looks like it’s time to start planning for the IDM conference season.  There are some great conferences planned and I need to figure out how to start budgeting for some of these.  Let me know if I have missed any conferences that should be listed.

March:

• Gartner Identity & Access Management Summit (17 – 18 March 2014 | London, UK)

May:

• European Identity & Cloud Conference (13 – 16 May 2014 | Munich, Germany)

June:

• Identity Relationship Management Summit (Arizona Biltmore | Week of June 2, 2014)
• Identity Management 2014 – 18th June 2014 – Hotel Russell, Central London

July:

• Cloud Identity Summit 2014 (Monterey, California | July 19 – 22, 2014)

September:

• Global Identity Summit 2014 (Tampa, Florida | 16 – 18 September)

December:

• Gartner Identity & Access Management Summit (2 – 4 December 2014 | Las Vegas, NV)

Cool Open Identity Stack Scripts/Utilities – GitHub Repos #ForgeRock #IDM

I was working on a few scripts to test out some of the new REST APIs in OpenAM 11.  I saved them out to GitHub and you are welcome to have at them.

I thought it might also be cool to share some of the other Repo’s that are related to ForgeRock as well.  There are some really cool scripts available for interacting with OpenAM, OpenIDM and OpenDJ.

These are freely available but not officially supported by ForgeRock or the developers of the scripts.  Just click on the person’s name to go to their GitHub repo.

OpenAM:

• Brad Tumy (AuthNUser, checkEntitlements, listAgents *New API and Legacy API*, updatePolicy)
• Simon Moffatt (Really cool interactive menu!)

OpenDJ:

• Ludo Poitou (Some really handy utilities e.g.: logstat.py & filterstat.py)
• Chris Ridd (Very handy utils e.g.: slowops: analyzes operation times in access logs)
• Simon Moffatt

OpenIDM:

• Simon Moffatt (Interactive mode menu for calling OpenIDM’s REST APIs)
  

Full OIS Stack:

• Warren Strange (Ansible (like puppet) scripts for deploying the OIS stack to Vagrant)

I am sure there are other great repos that I have missed, so feel free to add them in the comments and I can update the post.

Disclaimer: These scripts have been very handy to me but YMMV.

 

OpenAM: Protecting a Web Application

In response to a post that I had written before on how to install OpenDJ and OpenAM I had someone remind me that I never came back and wrote the follow on post (which I had promised to do).  They posted the question to my other blog site (which I have since migrated over to this site).  I am going to answer the question here as this is the only blog that I am presently maintaining.

Hi,

Can you paste me the link which talks about next part of the installation.
1. Configure OpenAM to look to OpenDJ for users
2. Install a Web agent
3. Create an Access Policy to protect a web application.

I often say that I am successful by “standing on the shoulders of giants”.  There is so much great “how to” content on the ForgeRock Community wiki site and that is where I turn to when I am looking for help or advice on OpenAM, OpenDJ and OpenIDM. Take a look at the section, “OpenAM: How do I?”.  There are a number of “how-to” articles that are literally step by step with screen shots.  

The link for the article that specifically talks about how to configure OpenAM to protect a web application can be found here:  Add Authentication to a Website using OpenAM.

******** Shameless Plug Alert ************

To protect a single web site is pretty simple and straight forward but sometimes you have unusual or difficult use cases where you need another set of eyes or additional help architecting your solution.  I have a lot of experience with the ForgeRock suite and I am available to provide consulting services.  Please don’t hesitate to reach out if you are interested in contracting my services.

OpenDJ & OpenAM automatic startup on Ubuntu

I have been installing the ForgeRock stack on Ubuntu a lot lately.  One of the things that I noticed is that when configuring OpenAM and OpenDJ for automatic startup you need to let OpenDJ finish starting up before starting Tomcat (OpenAM) … otherwise OpenAM will not be able to find it’s configuration and assume that it’s a new install.  I added a timer to the start up script to make the script sleep for a minute before starting (YMMV) Mark Craig (from ForgeRock) clued me into a nice little bit of code “start on started opendj” essentially this tells the startup script to wait until opendj has started before starting Tomcat.  Thanks Mark, that’s exactly what I was looking for.

OpenDJ

cd [install dir]/opendj/bin

sudo ./create-rc-script -f /etc/init.d/opendj -u [user to run as]

cd /etc/init.d

sudo update-rc.d opendj defaults

OpenAM [on Tomcat]

sudo vi /etc/init.d/tomcat

Now paste the following content:

    # Tomcat auto-start
    #
    # description: Auto-starts tomcat
    # start tomcat with user: ubuntu
    # pidfile: /var/run/tomcat.pid

    export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64

    case $1 in
    start)
            start on started opendj
            /bin/su ubuntu /opt/tomcat/bin/startup.sh
            ;;
    stop)
            /bin/su ubuntu /opt/tomcat/bin/shutdown.sh
            ;;
    restart)
            /bin/su ubuntu /opt/tomcat/bin/shutdown.sh
            /bin/su ubuntu /opt/tomcat/bin/startup.sh
            ;;
    esac
    exit 0

Make the script executable by running the chmod command:

sudo chmod 755 /etc/init.d/tomcat

The last step is linking this script to the startup folders with a symbolic link. Run the following two commands:.

sudo ln -s /etc/init.d/tomcat /etc/rc1.d/K99tomcat

sudo ln -s /etc/init.d/tomcat /etc/rc2.d/S99tomcat

Restart the system and tomcat will start automatically.

#Oracle #OIF controlling the authentication method #SAML #IDM

I am working with a client today who has Oracle Identity Federation (OIF) 11g configured with Oracle Access Manager (OAM) 10g as the default Authentication Engine.  With this configuration the authentication module is dictated by the OAM policy configuration.  If you set the OAM policy (the policy that protects the /fed/user/authnoam resource) to IWA then all federated SSO attempts will be routed to the IWA authn engine and if this policy is configure for a custom login form then all SSO attempts will be routed to the custom login form … I think you get the point.  So, what happens when some resources (SaaS apps configured as SP/RP’s in OIF) require different levels of assurance (LOAs)?  I thought maybe I could use the SAML default authentication method configured in the SP/RP metadata in the circle of trust (COT) but that does not get passed onto OAM.  My second thought was to create a different policy for the URL that was being protected … but that OIF uses a pretty standard URL (/fed/user/authnoam?refid=id-blahblahblah) … OAM wouldn’t be able to figure out which policy to use.

So, had anyone else found a solution to this problem?  I would appreciate any discussions or feedback.

Open Source Identity Solutions

I was asked by a colleague today to provide sources of analysis comparing Open Source IDM Solutions. I think they were looking for comparisons to closed source solutions but there is not a lot of that out there. I provided the following list as a starting point.

I generally like to save time (avoid searching for this again in the future) so I decided to put what I found here. If I am missing anything please let me know and I will update the list.

Provisioning/User Identity Management:

• OpenIDM(ForgeRock)
  • OpenICF

• midPoint
• Apache Syncope
• OpenPTK

Comparisons:

• https://www.ohloh.net/p/compare?project_0=midPoint&project_1=OpenIdM&project_2=Apache+Syncope
• http://www.actionidentity.com/blog/post.cfm/stacking-forgerock-openidm-up-to-the-competition
• http://www.nlight.eu/documents/open-source-idm/

SSO/Access Management/Authentication:

• OpenAM (ForgeRock)
• Advanced Authentication Server
• JoshuaTree
• Apache Shiro (Stormpath)

Comparisons:

• http://www.slideshare.net/craigsdickson/fast-and-free-sso-a-survey-of-open-source-solutions-to-single-sign-on (make a note that OpenSSO is now called OpenAM and is maintained by ForgeRock)
• http://en.wikipedia.org/wiki/List_of_single_sign-on_implementations

Federation

• ForgeRock OpenAM (SAML, OpenID and OAuth)
• Shibboleth
• OpenID
• SimpleSAMLPHP
• dotnetopenauth
• Gluu OX (OpenID Connect Platform)
• Source ID

Directory Services:

• ForgeRock OpenDJ
• Apache Directory Server (Directory Server and LDAP Browser)
• http://www.openldap.org/

Comparisons:

• http://en.wikipedia.org/wiki/List_of_LDAP_software

Initiatives

• Social2SAML

SSH Tunnel (of love) from OS X to EC2

So, this is not my “typical” IDM post but I wanted to save this for my own future reference.

Scenario:
Working from Mac OS X desktop and connecting to an EC2 (Redhat) instance over SSH.  I am installing and configuring Symfony which requires (strongly desires) that you connect to the config.php script from localhost (127.0.0.1).

Options:
1.)  Modify PHP script to comment out the localhost checks (boring)
2.)  Create a SSH tunnel from Mac terminal to the web port on the EC2 instance

The first option is pretty obvious and requires basic skills.  I am not sure what the ripple effects are with this so I’d prefer not to go this route.

The second option earns more “skillz” points and doesn’t require you to modify the config.php file, from Symfony. Note: Originally, I was using port 81 as the local port.  I changed the local port to 1337 vs 81.  Chris (see comments) made an excellent point that you don’t need to use sudo if your local port is higher than 1024.

Steps:
1.  Open Terminal Window from OS X desktop
2.  Type:  ssh -i mykey.pem -L 1337:am.acme.com:80 am.acme.com

So what did we do here:

ssh -i mykey.pem:  connect to remote server using ssh with the key that you use to connect to Amazon instance (you do use keys right??)
-L 1337:am.acme.com:80:  Local port (on OS X) will be 1337 and map that port to 80 on the EC2 instance URL am.acme.com
am.acme.com: this is the remote (EC2 instance) hostname

3.  The first time you connect to this server you will be asked to add this host to your known hosts file (say yes)
4.  Open a web browser (from OS X) and enter “127.0.0.1:1337/Symfony/web/config.php” to connect to the Symfony config on the EC2 instance

As long as you keep the SSH connection open then you can use the tunnel.  To close the tunnel, just exit from the SSH session.

Virtual Identity Server for Office 365 – OptimalIDM

I just got this from my friends at OptimalIDM and wanted to share this news.

OptimalIDM is formally announcing their Virtual Identity Server for Office 365 via a press release at 9:00 a.m. this morning.

VIS for Office 365 adds a ton of features and support to Office 365 such as:

• ·         Users can exist anywhere (i.e. eDirectory)
• ·         Complete Multi-forest support (no on-premise synch required)
• ·         Non-routable UPN’s (domain.local) & multiple UPN suffixes support
• ·         Two-Factor authentication
• ·         Denial of Service prevention/Detection
• ·         Cloud Firewall (filter data going to cloud)
• ·         Detailed Audit logging

OptimalIDM is demonstrating this at a Lunch presentation on TUESDAY at TEC.

Troubleshooting errors starting #OID #11g #Oracle #Identity #LDAP

I have an Oracle Identity 11g environment running on VirtualBox 4.0. This is a development environment that I use to test out various installations and configurations. I noticed the other day that I wasn’t able to start the Oracle Internet Directory (OID) instance.

When I checked the log file I can see that I am not able to connect to the Database. By the way, the log that is referenced doesn’t show anything of value. The log that actually contained the error is called: oidmon-0000.log

According to ora-code.com ora-28000 the error means that the user account that is connecting to the database ‘ODS’ is locked.

ORA-28000:	the account is locked
Cause:	The user has entered wrong password consequently for maximum number of times specified by the user’s profile parameter FAILED_LOGIN_ATTEMPTS, or the DBA has locked the account
Action:	Wait for PASSWORD_LOCK_TIME or contact DBA

It’s typically trivial to unlock an account from the sqlplus command line

So, we should be good now. I will try to start the process again.

But now my log shows

So, now I am getting an ORA-01017 error. Which means “Invalid username/password”. So, it seems that the Database doesn’t like the password that OID is supplying to connect to the ODS schema.

I’ll use SQL Developer to try and connect to the database with the ODS user

Interesting, SQL Developer is showing an ORA-28000 error.

Let’s try connecting using SQLPlus …

So, it seems we have a consensus (and yes, I did just include my password in the screenshot … it doesn’t matter)

Let’s see what the database has to say about this user. Make sure you reconnect to the DB as oracle.

Ok, didn’t we just unlock it? Let’s try again …

So, now what is the status?

Hey! This is good right? … the account seems to be open again.

So, let’s try to start OID again.

Ok, this is looking pretty ugly right about now…

… and the account is locked again. So, let’s see if we can figure out why this is happening.

Maybe the wallet that holds the ODS password for OID has become corrupt. We can recreate it using oidpasswd.

Note: Before you run oidpasswd it’s important to have your Oracle environment set up correctly. Here is what I am using (yours may vary):

ORACLE_SID=orcl

ORACLE_BASE=/opt/oracle

ORACLE_INSTANCE=/opt/oracle/Middleware/asisnt_1

ORACLE_HOME=/opt/oracle/Middleware/Oracle_IDM1

MW_HOME=/opt/oracle/Middleware

Now with this output … I have verified the location of the tnsnames.ora file and the information in it … so I am going to assume for the moment that the issue is with the password (at least until I prove otherwise).

Typically, changing the password will unlock the account

But here we are and the account is still locked.

… I am spending some time just fishing around on the Internet and looking around at my system

Wait a second … I wasn’t even thinking about ODSSM …

Change the ODSSM’s password and then unlock ODS.

So, both accounts should now be “OPEN”

Now restart the OIDMON process

What does the log say

Completely different error this time. At least I feel like we are making some progress …

hmmm … if the wallet can’t be read … maybe we can recreate the wallet. Let’s re-run the “create wallet” command that we tried earlier.

Hey! … it was successful this time. So, let’s try starting the OID processes

That was successful!

Now to check the status of the OPMN Processes

All of the OID related processes are now Alive. The ohs1 process is down because I turned it off earlier.