Case Study: Utilizing OpenIDM with an External AJAX Interface
This document discusses implementing an external AJAX interface with ForgeRock's OpenIDM identity management solution. It considers using OpenIDM, OpenAM, or OpenDJ APIs. OpenIDM is recommended as it provides the most flexibility with workflow, supporting multiple data stores, and custom endpoints. Security considerations for an internet-facing API include using a reverse proxy to reduce the attack surface and implementing API policies. A middle tier may be useful for business logic, token authentication, and hosting non-identity content. Potential gotchas include protecting OpenIDM with OpenAM and handling detailed user status returns from OpenAM's authentication REST API. The document provides contact information for an identity architect at Nulli to answer any additional questions.
Case Study: Utilizing OpenIDM with an External AJAX Interface
- 1. Human Information Identity Management Identity Solution Architects Case Study: Utilizing OpenIDM with an External AJAX Interface 6/4/2014
- 2. Introduction Nulli oForgeRock Strategic Partner oOpenSource Contributors oIAM Specialists since 1997 oHQ in Calgary, AB, Canada Servicing North America
- 3. Whitepaper Consumer facing trend Available for download nulli.com blog Authored by Hadi Ahmadi / Sandeep Chaturvedi Based on current Customer o Requirements IDP for public sector applications Registration/verification Self-service user functions o Detailed design was already complete o Interested in lightweight AJAX UI with REST API (Internet-facing)
- 4. CREST (Commons REST) Common REST API between products: oOpenIdM oOpenDJ oOpenAM
- 5. Implementing CREST Which API? oOverlap of functionality oStrong points Security? oInternet-facing? Middle Tier? oRequired? Gotchas
- 6. Which API? Overlap Example Create User • OpenAM »../json/users/?_action=regi ster • OpenIdM »../managed/user/ • OpenDJ »../users/newuser
- 8. Which API? - Summary OpenIdM oWorkflow oMultiple Data Stores oMost Flexible OpenAM oAuthentication/Authorization OpenDJ oMore System->System
- 9. Security? Reverse Proxy/Secure Gateway o Reduce ‘Attack’ Surface o Control generalized API patterns POST ../?action=something API Policies (OpenIdM) Authenticated vs Anonymous o Token/UID+PWD o OpenIdM protected by OpenAM XSS/CORS JSON Sanitization (embedded scripts, etc)
- 10. Middle Tier? Business Logic oMultiple calls behind Token authentication DMZ presence Anonymous links from emails Host non-identity contents oCountry/city lists, etc oLanding pages/UI host CAPTCHA
- 11. Gotchas OpenIdM (Jetty) Protected by OpenAM oCan’t use OOTB Anonymous user Returning detailed user status from OpenAM Authentication REST API (Active/Inactive) oMultiple calls oAuthentication plugin? Functionality in OpenAM not as flexible oOpenIdM custom end points
- 12. Architecture
- 13. P C Robert Jackson Identity Architect rjackson@nulli.com (403) 869-3313 (403) 648-0909 Questions?