This document discusses implementing an external AJAX interface with ForgeRock's OpenIDM identity management solution. It considers using OpenIDM, OpenAM, or OpenDJ APIs. OpenIDM is recommended as it provides the most flexibility with workflow, supporting multiple data stores, and custom endpoints. Security considerations for an internet-facing API include using a reverse proxy to reduce the attack surface and implementing API policies. A middle tier may be useful for business logic, token authentication, and hosting non-identity content. Potential gotchas include protecting OpenIDM with OpenAM and handling detailed user status returns from OpenAM's authentication REST API. The document provides contact information for an identity architect at Nulli to answer any additional questions.

1. Human Information
Identity Management
Identity Solution Architects
Case Study: Utilizing OpenIDM
with an External AJAX Interface
6/4/2014

2. Introduction
Nulli
oForgeRock Strategic Partner
oOpenSource Contributors
oIAM Specialists since 1997
oHQ in Calgary, AB, Canada
Servicing North America

3. Whitepaper
Consumer facing trend
Available for download nulli.com blog
Authored by Hadi Ahmadi / Sandeep
Chaturvedi
Based on current Customer
o Requirements
 IDP for public sector applications
 Registration/verification
 Self-service user functions
o Detailed design was already complete
o Interested in lightweight AJAX UI with
REST API (Internet-facing)

4. CREST (Commons REST)
Common REST API between
products:
oOpenIdM
oOpenDJ
oOpenAM

5. Implementing CREST
Which API?
oOverlap of functionality
oStrong points
Security?
oInternet-facing?
Middle Tier?
oRequired?
Gotchas

6. Which API?
Overlap Example
Create User
• OpenAM
»../json/users/?_action=regi
ster
• OpenIdM
»../managed/user/
• OpenDJ
»../users/newuser

7. Which API?
CREST
API
Registration
ProvisionLDAP
Provision
(Multiple
Password
PasswordReset
OTP
Auth’n&
Customizable
Workflow
Policy/Validati
Configuration
SelfService
Data
Federation
OpenAM
X
X
X
X
X
X
X
X
X
OpenIdM
X
X
X
X
X
X
X
X
X
X
X
OpenDJ
X
X
X
X

8. Which API? - Summary
OpenIdM
oWorkflow
oMultiple Data Stores
oMost Flexible
OpenAM
oAuthentication/Authorization
OpenDJ
oMore System->System

9. Security?
Reverse Proxy/Secure Gateway
o Reduce ‘Attack’ Surface
o Control generalized API patterns
POST ../?action=something
API Policies (OpenIdM)
Authenticated vs Anonymous
o Token/UID+PWD
o OpenIdM protected by OpenAM
XSS/CORS
JSON Sanitization (embedded scripts,
etc)

10. Middle Tier?
Business Logic
oMultiple calls behind
Token authentication
DMZ presence
Anonymous links from emails
Host non-identity contents
oCountry/city lists, etc
oLanding pages/UI host
CAPTCHA

11. Gotchas
OpenIdM (Jetty) Protected by
OpenAM
oCan’t use OOTB Anonymous user
Returning detailed user status from
OpenAM Authentication REST API
(Active/Inactive)
oMultiple calls
oAuthentication plugin?
Functionality in OpenAM not as
flexible
oOpenIdM custom end points

12. Architecture

13. P
C
Robert Jackson
Identity Architect
rjackson@nulli.com
(403) 869-3313
(403) 648-0909
Questions?