Integrator's Guide ForgeRock Identity Management 5 IDM Integrators

• Integrator's Guide
• Table of Contents
• Preface
  • 1. About This Guide
  • 2. Formatting Conventions
  • 3. Accessing Documentation Online
  • 4. Joining the ForgeRock Community
• Chapter 1. Architectural Overview
  • 1.1. Modular Framework
  • 1.2. Infrastructure Modules
  • 1.3. Core Services
  • 1.4. Secure Commons REST Commands
  • 1.5. Access Layer
• Chapter 2. Starting and Stopping the Server
  • 2.1. To Start and Stop the Server
  • 2.2. Specifying the Startup Configuration
  • 2.3. Monitoring Basic Server Health
    • 2.3.1. Basic Health Checks
    • 2.3.2. Getting Current Session Information
    • 2.3.3. Monitoring Tuning and Health Parameters
      • 2.3.3.1. Operating System Health Check
      • 2.3.3.2. Memory Health Check
      • 2.3.3.3. JDBC Health Check
      • 2.3.3.4. Reconciliation Health Check
    • 2.3.4. Customizing Health Check Scripts
    • 2.3.5. Verifying the State of Health Check Service Modules
  • 2.4. Displaying Information About Installed Modules
  • 2.5. Starting in Debug Mode
  • 2.6. Running As a Service on Linux Systems
• Chapter 3. Command-Line Interface
  • 3.1. Using the configexport Subcommand
  • 3.2. Using the configimport Subcommand
  • 3.3. Using the configureconnector Subcommand
  • 3.4. Using the encrypt Subcommand
  • 3.5. Using the secureHash Subcommand
  • 3.6. Using the keytool Subcommand
  • 3.7. Using the validate Subcommand
  • 3.8. Using the update Subcommand
• Chapter 4. Web-Based User Interfaces
  • 4.1. Configuring the Server from the Admin UI
    • 4.1.1. Default Admin UI Dashboard
    • 4.1.2. Creating and Modifying Dashboards
  • 4.2. Working With the Self-Service UI
    • 4.2.1. The Self-Service UI Dashboard
    • 4.2.2. The Self-Service UI Profile
  • 4.3. Customizing a UI Template
    • 4.3.1. Customizing User Self-Service Screens
    • 4.3.2. Modifying Valid Query Fields
  • 4.4. Managing Accounts
    • 4.4.1. Account Configuration
    • 4.4.2. Procedures for Managing Accounts
  • 4.5. Configuring Account Relationships
  • 4.6. Customizing the UI
  • 4.7. Changing the UI Theme
    • 4.7.1. OpenIDM UI Themes and Bootstrap
    • 4.7.2. Changing the Default Logo
    • 4.7.3. Changing the Language of the UI
    • 4.7.4. Creating a Project-Specific UI Theme
  • 4.8. Resetting User Passwords
    • 4.8.1. Resetting a User Password Through the Admin UI
    • 4.8.2. Using an External System for Password Reset
  • 4.9. Providing a Logout URL to External Applications
  • 4.10. Changing the UI Path
  • 4.11. API Explorer
  • 4.12. Disabling the UI
• Chapter 5. Configuring User Self-Service
  • 5.1. Common Configuration Details
    • 5.1.1. Configuring Self-Service Email Messages
    • 5.1.2. Configuring Google reCAPTCHA
    • 5.1.3. Configuring Self-Service Questions
    • 5.1.4. Setting a Minimum Number of Self-Service Questions
    • 5.1.5. Enabling Social Identities in User Self-Registration
  • 5.2. The End User and Commons User Self-Service
• Chapter 6. Managing the Repository
  • 6.1. Understanding the JDBC Repository Configuration File
    • 6.1.1. Understanding the JDBC Connection Configuration File
    • 6.1.2. Understanding the Database Table Configuration
  • 6.2. Using Explicit or Generic Object Mapping With a JDBC Repository
    • 6.2.1. Using Generic Mappings
    • 6.2.2. Improving Search Performance for Generic Mappings
    • 6.2.3. Using Explicit Mappings
  • 6.3. Configuring SSL with a JDBC Repository
  • 6.4. Interacting With the Repository Over REST
    • 6.4.1. Changing the Repository Password
    • 6.4.2. Running Queries and Commands on the Repository
• Chapter 7. Configuring the Server
  • 7.1. Configuration Objects
    • 7.1.1. Single Instance Configuration Objects
    • 7.1.2. Multiple Instance Configuration Objects
  • 7.2. Changing the Default Configuration
  • 7.3. Configuring the Server for Production
    • 7.3.1. Configuring a Production Repository
    • 7.3.2. Disabling Automatic Configuration Updates
    • 7.3.3. Communicating Through a Proxy Server
  • 7.4. Configuring the Server Over REST
  • 7.5. Using Property Value Substitution In the Configuration
    • 7.5.1. Using Property Value Substitution With System Properties
    • 7.5.2. Limitations of Property Value Substitution
  • 7.6. Setting the Script Configuration
  • 7.7. Calling a Script From a Configuration File
• Chapter 8. Accessing Data Objects
  • 8.1. Accessing Data Objects By Using Scripts
  • 8.2. Accessing Data Objects By Using the REST API
  • 8.3. Defining and Calling Queries
    • 8.3.1. Common Filter Expressions
    • 8.3.2. Parameterized Queries
    • 8.3.3. Native Query Expressions
    • 8.3.4. Constructing Queries
      • 8.3.4.1. Comparison Expressions
        • 8.3.4.1.1. Querying Objects That Equal the Given Value
        • 8.3.4.1.2. Querying Objects That Contain the Given Value
        • 8.3.4.1.3. Querying Objects That Start With the Given Value
        • 8.3.4.1.4. Querying Objects That Are Less Than the Given Value
        • 8.3.4.1.5. Querying Objects That Are Less Than or Equal to the Given Value
        • 8.3.4.1.6. Querying Objects That Are Greater Than the Given Value
        • 8.3.4.1.7. Querying Objects That Are Greater Than or Equal to the Given Value
      • 8.3.4.2. Presence Expressions
      • 8.3.4.3. Literal Expressions
      • 8.3.4.4. Complex Expressions
    • 8.3.5. Paging and Counting Query Results
    • 8.3.6. Sorting Query Results
• Chapter 9. Managing Users, Groups, Roles and Relationships
  • 9.1. Creating and Modifying Managed Object Types
  • 9.2. Working with Managed Users
  • 9.3. Working With Managed Groups
  • 9.4. Working With Managed Roles
    • 9.4.1. Creating a Role
    • 9.4.2. Listing Existing Roles
    • 9.4.3. Granting a Role to a User
      • 9.4.3.1. Granting Roles Manually
      • 9.4.3.2. Granting Roles Dynamically
        • 9.4.3.2.1. Granting Roles Based on a Condition
        • 9.4.3.2.2. Granting Roles By Using Custom Scripts
    • 9.4.4. Using Temporal Constraints to Restrict Effective Roles
      • 9.4.4.1. Adding a Temporal Constraint to a Role Definition
      • 9.4.4.2. Adding a Temporal Constraint to a Role Grant
    • 9.4.5. Querying a User's Manual and Conditional Roles
    • 9.4.6. Deleting a User's Roles
    • 9.4.7. Deleting a Role Definition
    • 9.4.8. Working With Role Assignments
      • 9.4.8.1. Creating an Assignment
      • 9.4.8.2. Adding an Assignment to a Role
      • 9.4.8.3. Deleting an Assignment
    • 9.4.9. Understanding Effective Roles and Effective Assignments
    • 9.4.10. Managed Role Script Hooks
  • 9.5. Managing Relationships Between Objects
    • 9.5.1. Defining a Relationship Type
    • 9.5.2. Establishing a Relationship Between Two Objects
    • 9.5.3. Validating Relationships Between Objects
    • 9.5.4. Working With Bi-Directional Relationships
    • 9.5.5. Viewing Relationships Over REST
    • 9.5.6. Viewing Relationships in Graph Form
  • 9.6. Running Scripts on Managed Objects
  • 9.7. Encoding Attribute Values
    • 9.7.1. Encoding Attribute Values With Reversible Encryption
    • 9.7.2. Encoding Attribute Values by Using Salted Hash Algorithms
  • 9.8. Restricting HTTP Access to Sensitive Data
• Chapter 10. Configuring Social ID Providers
  • 10.1. OpenID Connect Authorization Code Flow
  • 10.2. Many Social ID Providers, One Schema
  • 10.3. Setting Up Google as a Social Identity Provider
    • 10.3.1. Setting Up Google
    • 10.3.2. Configuring a Google Social ID Provider
    • 10.3.3. Configuring User Registration to Link to Google
  • 10.4. Setting Up LinkedIn as a Social Identity Provider
    • 10.4.1. Setting Up LinkedIn
    • 10.4.2. Configuring a LinkedIn Social ID Provider
    • 10.4.3. Configuring User Registration to Link to LinkedIn
  • 10.5. Setting Up Facebook as a Social Identity Provider
    • 10.5.1. Setting Up Facebook
    • 10.5.2. Configuring a Facebook Social ID Provider
    • 10.5.3. Configuring User Registration to Link to Facebook
  • 10.6. Setting Up a Custom Social Identity Provider
    • 10.6.1. Preparing IDM For a Custom Social ID Provider
    • 10.6.2. Setting Up a Custom Social ID Provider
    • 10.6.3. Configuring a Custom Social ID Provider
    • 10.6.4. Configuring User Registration to Link to a Custom Provider
  • 10.7. Configuring the Social Providers Authentication Module
  • 10.8. Managing the Social ID Provider Over REST
  • 10.9. Testing the Social ID Provider
  • 10.10. Managing Links Between End User Accounts and Social ID Providers
    • 10.10.1. The Process for End Users
    • 10.10.2. Reviewing Linked Accounts as an Administrator
      • 10.10.2.1. Reviewing Linked Accounts Over REST
      • 10.10.2.2. Reviewing Linked Accounts From the Admin UI
• Chapter 11. Using Policies to Validate Data
  • 11.1. Configuring the Default Policy for Managed Objects
    • 11.1.1. Understanding the Policy Script File
      • 11.1.1.1. Policy Configuration Objects
      • 11.1.1.2. Policy Implementation Functions
    • 11.1.2. Understanding the Policy Configuration Element
    • 11.1.3. Validation of Managed Object Data Types
    • 11.1.4. Configuring Policy Validation in the UI
  • 11.2. Extending the Policy Service
    • 11.2.1. Adding Custom Scripted Policies
    • 11.2.2. Adding Conditional Policy Definitions
  • 11.3. Disabling Policy Enforcement
  • 11.4. Managing Policies Over REST
    • 11.4.1. Listing the Defined Policies
    • 11.4.2. Validating Objects and Properties Over REST
• Chapter 12. Configuring Server Logs
  • 12.1. Log Message Files
  • 12.2. Logging Levels
  • 12.3. Disabling Logs
• Chapter 13. Connecting to External Resources
  • 13.1. The Open Identity Connector Framework (OpenICF)
  • 13.2. Accessing Remote Connectors
    • 13.2.1. Configuring Failover Between Remote Connector Servers
  • 13.3. Configuring Connectors
    • 13.3.1. Setting the Connector Reference Properties
    • 13.3.2. Setting the Pool Configuration
    • 13.3.3. Setting the Operation Timeouts
    • 13.3.4. Setting the Connection Configuration
    • 13.3.5. Setting the Synchronization Failure Configuration
    • 13.3.6. Configuring How Results Are Handled
    • 13.3.7. Specifying the Supported Object Types
      • 13.3.7.1. Extending the Object Type Configuration
      • 13.3.7.2. Extending the Property Type Configuration
    • 13.3.8. Configuring the Operation Options
  • 13.4. Installing and Configuring Remote Connector Servers
    • 13.4.1. Installing and Configuring a .NET Connector Server
    • 13.4.2. Installing and Configuring a Remote Java Connector Server
  • 13.5. Supported Connectors
  • 13.6. Creating Default Connector Configurations
    • 13.6.1. Adding New Connectors from the Admin UI
    • 13.6.2. Adding New Connectors from the Command Line
  • 13.7. Checking the Status of External Systems Over REST
  • 13.8. Adding Attributes to Connector Configurations
• Chapter 14. Synchronizing Data Between Resources
  • 14.1. Types of Synchronization
  • 14.2. Defining Your Data Mapping Model
  • 14.3. Configuring Synchronization Between Two Resources
    • 14.3.1. Setting Up the Connector Configuration
      • 14.3.1.1. Setting up and Modifying Connector Configurations in the Admin UI
      • 14.3.1.2. Editing Connector Configuration Files
    • 14.3.2. Mapping Source Objects to Target Objects
      • 14.3.2.1. Specifying the Resource Mapping
        • 14.3.2.1.1. Specifying Resource Mapping in the Admin UI
      • 14.3.2.2. Creating Attributes in a Mapping
      • 14.3.2.3. Transforming Attributes in a Mapping
      • 14.3.2.4. Using Scriptable Conditions in a Mapping
      • 14.3.2.5. Mapping a Single Source Object to Multiple Target Objects
      • 14.3.2.6. Correlating Source Objects With Existing Target Objects
        • 14.3.2.6.1. Writing Correlation Queries
          • 14.3.2.6.1.1. Using Filtered Queries to Correlate Objects
          • 14.3.2.6.1.2. Using Predefined Queries to Correlate Objects
          • 14.3.2.6.1.3. Using the Expression Builder to Create Correlation Queries
        • 14.3.2.6.2. Writing Correlation Scripts
    • 14.3.3. Filtering Synchronized Objects
    • 14.3.4. Configuring Synchronization Filters With User Preferences
      • 14.3.4.1. Configuring End User Preferences
      • 14.3.4.2. Reviewing Preferences as an End User
      • 14.3.4.3. User Preferences and Reconciliation
    • 14.3.5. Preventing Accidental Deletion of a Target System
      • 14.3.5.1. Preventing Accidental Deletion in the Admin UI
  • 14.4. Constructing and Manipulating Attributes With Scripts
  • 14.5. Advanced Use of Scripts in Mappings
  • 14.6. Reusing Links Between Mappings
  • 14.7. Managing Reconciliation
    • 14.7.1. Triggering a Reconciliation
      • 14.7.1.1. Triggering a Reconciliation in the Admin UI
    • 14.7.2. Canceling a Reconciliation
      • 14.7.2.1. Cancelling a Reconciliation in the Admin UI
    • 14.7.3. Listing a History of Reconciliations
    • 14.7.4. Obtaining the Details of a Reconciliation
      • 14.7.4.1. Obtaining the Details of a Reconciliation in the Admin UI
    • 14.7.5. Triggering LiveSync Over REST
  • 14.8. Restricting Reconciliation By Using Queries
    • 14.8.1. Restricting Reconciliation in the Admin UI, With Queries
  • 14.9. Restricting Reconciliation to a Specific ID
  • 14.10. Configuring the LiveSync Retry Policy
  • 14.11. Disabling Automatic Synchronization Operations
  • 14.12. Configuring Synchronization Failure Compensation
  • 14.13. Synchronization Situations and Actions
    • 14.13.1. How OpenIDM Assesses Synchronization Situations
    • 14.13.2. Source Reconciliation
    • 14.13.3. Target Reconciliation
    • 14.13.4. Situations Specific to Implicit Synchronization and LiveSync
    • 14.13.5. Synchronization Actions
    • 14.13.6. Launching a Script As an Action
    • 14.13.7. Launching a Workflow As an Action
  • 14.14. Asynchronous Reconciliation
  • 14.15. Configuring Case Sensitivity For Data Stores
  • 14.16. Optimizing Reconciliation Performance
    • 14.16.1. Correlating Empty Target Sets
      • 14.16.1.1. Correlating Empty Target Sets in the Admin UI
    • 14.16.2. Prefetching Links
      • 14.16.2.1. Prefetching Links in the Admin UI
    • 14.16.3. Parallel Reconciliation Threads
      • 14.16.3.1. Parallel Reconciliation Threads in the Admin UI
    • 14.16.4. Improving Reconciliation Query Performance
    • 14.16.5. Improving Role-Based Provisioning Performance With an onRecon Script
    • 14.16.6. Paging Reconciliation Query Results
  • 14.17. Scheduling Synchronization
    • 14.17.1. Configuring Scheduled Synchronization
    • 14.17.2. Specifying the Mapping as Part of the Schedule
• Chapter 15. Extending Functionality By Using Scripts
  • 15.1. Validating Scripts Over REST
  • 15.2. Creating Custom Endpoints to Launch Scripts
    • 15.2.1. Creating a Custom Endpoint Configuration File
    • 15.2.2. Writing Custom Endpoint Scripts
    • 15.2.3. Setting Up Exceptions in Scripts
  • 15.3. Registering Custom Scripted Actions
• Chapter 16. Scheduling Tasks and Events
  • 16.1. Configuring the Scheduler Service
  • 16.2. Configuring Schedules
  • 16.3. Configuring Persistent Schedules
  • 16.4. Schedule Examples
  • 16.5. Managing Schedules Over REST
    • 16.5.1. Validating Schedule Syntax
    • 16.5.2. Defining a Schedule
    • 16.5.3. Obtaining the Details of a Scheduled Job
    • 16.5.4. Querying Scheduled Jobs
    • 16.5.5. Updating a Schedule
    • 16.5.6. Deleting a Schedule
    • 16.5.7. Obtaining a List of Running Scheduled Jobs
    • 16.5.8. Pausing Scheduled Jobs
    • 16.5.9. Resuming All Scheduled Jobs
    • 16.5.10. Querying Schedule Triggers
  • 16.6. Managing Schedules Through the Admin UI
  • 16.7. Scanning Data to Trigger Tasks
    • 16.7.1. Configuring the Task Scanner
    • 16.7.2. Managing Scanning Tasks Over REST
      • 16.7.2.1. Triggering a Scanning Task
      • 16.7.2.2. Canceling a Scanning Task
      • 16.7.2.3. Listing Scanning Tasks
• Chapter 17. Managing Passwords
  • 17.1. Enforcing Password Policy
    • 17.1.1. Creating a Password History Policy
  • 17.2. Storing Separate Passwords Per Linked Resource
  • 17.3. Generating Random Passwords
  • 17.4. Synchronizing User Passwords With LDAP Servers
    • 17.4.1. Synchronizing Passwords With OpenDJ
      • 17.4.1.1. Establishing Secure Communication Between OpenIDM and OpenDJ
      • 17.4.1.2. Installing the OpenDJ Password Synchronization Plugin
      • 17.4.1.3. Uninstalling the OpenDJ Password Synchronization Plugin
    • 17.4.2. Synchronizing Passwords With Active Directory
      • 17.4.2.1. Installing the Active Directory Password Synchronization Plugin
      • 17.4.2.2. Changing the Password Synchronization Plugin Configuration After Installation
• Chapter 18. Managing Authentication, Authorization and Role-Based Access Control
  • 18.1. The Authentication Model
    • 18.1.1. Authenticating OpenIDM Users
      • 18.1.1.1. Internal Users
        • 18.1.1.1.1. Managing Internal Users Over REST
      • 18.1.1.2. Managed Users
      • 18.1.1.3. Authenticating Internal and Managed Users
    • 18.1.2. Supported Authentication and Session Modules
      • 18.1.2.1. Supported Session Module
      • 18.1.2.2. Supported Authentication Modules
    • 18.1.3. Configuring Pass-Through Authentication
    • 18.1.4. Configuring Authentication With OpenID Connect
    • 18.1.5. Configuring Authentication With OAuth 2.0
    • 18.1.6. Configuring IWA Authentication
      • 18.1.6.1. Creating a Specific Kerberos User Account for OpenIDM
      • 18.1.6.2. Creating a Keytab File
      • 18.1.6.3. Configuring OpenIDM for IWA
    • 18.1.7. Configuring Client Certificate Authentication
    • 18.1.8. Interactions Between Modules in the Stack
      • 18.1.8.1. Standards-Based Integration
      • 18.1.8.2. Using the OpenIDM Session Module
      • 18.1.8.3. REST Calls and Integration
      • 18.1.8.4. Mapping Admin Users
  • 18.2. Roles and Authentication
  • 18.3. Authorization
    • 18.3.1. Understanding the Router Authorization Script (router-authz.js)
    • 18.3.2. Understanding the Access Configuration Script (access.js)
    • 18.3.3. Granting Internal Authorization Roles
    • 18.3.4. Extending the Authorization Mechanism
    • 18.3.5. Managing User Access to Workflows
      • 18.3.5.1. Adding Another Role to a Workflow
  • 18.4. Building Role-Based Access Control (RBAC)
    • 18.4.1. Roles, Authentication, and the Security Context
• Chapter 19. Securing & Hardening Servers
  • 19.1. Accessing the Security Management Service
    • 19.1.1. Displaying the Contents of the Keystore
    • 19.1.2. Importing a Signed Certificate into the Keystore
    • 19.1.3. Using an Alternative Certificate to Service SSL Requests
    • 19.1.4. Using Keytool to Import a Signed Certificate
    • 19.1.5. Generating a Certificate Signing Request Over REST
    • 19.1.6. Generating a Self-Signed Certificate Over REST
    • 19.1.7. Deleting Certificates Over REST
    • 19.1.8. Rotating Encryption Keys
  • 19.2. Security Precautions for a Production Environment
    • 19.2.1. Use SSL and HTTPS
    • 19.2.2. Restrict REST Access to the HTTPS Port
    • 19.2.3. Encrypt Data Internally and Externally
    • 19.2.4. Remove Unused CA Digital Certificates
    • 19.2.5. Use Message Level Security
      • 19.2.5.1. Message Level Security with Logins
      • 19.2.5.2. Sessions and the JWT Cookie
    • 19.2.6. Replace Default Security Settings
    • 19.2.7. Secure Jetty
    • 19.2.8. Protect Sensitive REST Interface URLs
    • 19.2.9. Protect Sensitive Files & Directories
    • 19.2.10. Remove or Protect Development & Debug Tools
    • 19.2.11. Protect the Repository
    • 19.2.12. Adjust Log Levels
    • 19.2.13. Set Up Restart At System Boot
    • 19.2.14. Disable the API Explorer
  • 19.3. Configuring a Hardware Security Module (HSM) Device
    • 19.3.1. Setting Up the HSM Configuration
    • 19.3.2. Populating the Default Encryption Keys
    • 19.3.3. Configuring OpenIDM to Support an HSM Provider
• Chapter 20. Integrating Business Processes and Workflows
  • 20.1. BPMN 2.0 and the Activiti Tools
  • 20.2. Setting Up Activiti Integration
    • 20.2.1. Configuring the Activiti Engine
      • 20.2.1.1. Configuring the Activiti History Level
    • 20.2.2. Defining Activiti Workflows
    • 20.2.3. Invoking Activiti Workflows
    • 20.2.4. Querying Activiti Workflows
  • 20.3. Using Custom Templates for Activiti Workflows
  • 20.4. Managing Workflows Over the REST Interface
• Chapter 21. Logging Audit Information
  • 21.1. Configuring the Audit Service
  • 21.2. Configuring Audit Event Handlers
    • 21.2.1. JSON Audit Event Handler
    • 21.2.2. CSV Audit Event Handler
      • 21.2.2.1. Minimum Admin UI CSV Audit Handler Configuration Requirements
      • 21.2.2.2. Configuring Keys to Protect Audit Logs Against Tampering
      • 21.2.2.3. Configuring Tamper Protection for CSV Audit Logs
      • 21.2.2.4. Checking the Integrity of Audit Log Files
    • 21.2.3. Router Audit Event Handler
    • 21.2.4. Repository Audit Event Handler
    • 21.2.5. JMS Audit Event Handler
      • 21.2.5.1. Adding Required Bundles for the JMS Messaging
      • 21.2.5.2. Configuring JMS at the Admin UI
      • 21.2.5.3. JMS Configuration File
      • 21.2.5.4. JMS, ActiveMQ, and SSL
      • 21.2.5.5. JMS Message Format
      • 21.2.5.6. JMS, TIBCO, and SSL
    • 21.2.6. Elasticsearch Audit Event Handler
      • 21.2.6.1. Installing and Configuring Elasticsearch
      • 21.2.6.2. Creating an Audit Index for Elasticsearch
      • 21.2.6.3. Configuring the Elasticsearch Audit Event Handler
        • 21.2.6.3.1. Configuring the Elasticsearch Audit Event Handler via the Admin UI
        • 21.2.6.3.2. Configuring the Elasticsearch Audit Event Handler in audit.json
      • 21.2.6.4. Querying and Reading Elasticsearch Audit Events
    • 21.2.7. Syslog Audit Event Handler
    • 21.2.8. Splunk Audit Event Handler
    • 21.2.9. Reviewing Active Audit Event Handlers
  • 21.3. Audit Log Event Topics
    • 21.3.1. OpenIDM Audit Event Topics
  • 21.4. Event Topics: Filtering
    • 21.4.1. Filter Actions: Filtering Audit Entries by Action
    • 21.4.2. Filter Fields: Filtering Audit Entries by Field
    • 21.4.3. Filter Script: Using a Script to Filter Audit Data
    • 21.4.4. Filter Triggers: Filtering Audit Entries by Trigger
    • 21.4.5. Watched Fields: Defining Fields to Monitor
    • 21.4.6. Password Fields: Defining a Password Field
  • 21.5. Filtering Audit Logs by Policy
  • 21.6. Configuring an Audit Exception Formatter
  • 21.7. Adjusting Audit Write Behavior
  • 21.8. Purging Obsolete Audit Information
    • 21.8.1. Configuring Audit Log Rotation
    • 21.8.2. Configuring Audit Log File Retention
  • 21.9. Querying Audit Logs Over REST
    • 21.9.1. Querying the Reconciliation Audit Log
    • 21.9.2. Querying the Activity Audit Log
    • 21.9.3. Querying the Synchronization Audit Log
    • 21.9.4. Querying the Authentication Audit Log
    • 21.9.5. Querying the Configuration Audit Log
• Chapter 22. Clustering, Failover, and Availability
  • 22.1. Configuring an IDM Instance as Part of a Cluster
    • 22.1.1. Specifying an Authoritative File-Based Configuration
  • 22.2. Managing Scheduled Tasks Across a Cluster
  • 22.3. Managing Nodes Over REST
  • 22.4. Managing Nodes Through the Admin UI
• Chapter 23. Sending Email
  • 23.1. Sending Mail Over REST
  • 23.2. Sending Mail From a Script
• Chapter 24. Accessing External REST Services
  • 24.1. Invocation Parameters
  • 24.2. Support for Non-JSON Responses
  • 24.3. Setting the TLS Version
• Chapter 25. Deployment Best Practices
  • 25.1. Implementation Phases
    • 25.1.1. Initiation
    • 25.1.2. Definition
    • 25.1.3. Design
    • 25.1.4. Configure and Test
    • 25.1.5. Production
• Chapter 26. Troubleshooting
  • 26.1. Server Stopped in Background
  • 26.2. The scr list Command Shows Sync Service As Unsatisfied
  • 26.3. JSON Parsing Error
  • 26.4. System Not Available
  • 26.5. Bad Connector Host Reference in Provisioner Configuration
  • 26.6. Missing Name Attribute
• Chapter 27. Advanced Configuration
  • 27.1. Advanced Startup Configuration
• Appendix A. Ports Used
• Appendix B. Data Models and Objects Reference
  • B.1. Managed Objects
    • B.1.1. Managed Object Schema
    • B.1.2. Data Consistency
    • B.1.3. Managed Object Triggers
      • B.1.3.1. State Triggers
      • B.1.3.2. Object Storage Triggers
      • B.1.3.3. Property Storage Triggers
      • B.1.3.4. Storage Trigger Sequences
    • B.1.4. Managed Object Encryption
    • B.1.5. Managed Object Configuration
    • B.1.6. Custom Managed Objects
      • B.1.6.1. Setting Up a Managed Object Type
      • B.1.6.2. Manipulating Managed Objects Declaratively
      • B.1.6.3. Manipulating Managed Objects Programmatically
        • B.1.6.3.1. Creating Objects
        • B.1.6.3.2. Updating Objects
        • B.1.6.3.3. Patching Objects
        • B.1.6.3.4. Deleting Objects
        • B.1.6.3.5. Reading Objects
        • B.1.6.3.6. Querying Object Sets
    • B.1.7. Accessing Managed Objects Through the REST API
  • B.2. Configuration Objects
    • B.2.1. When To Use Custom Configuration Objects
    • B.2.2. Custom Configuration Object Naming Conventions
    • B.2.3. Mapping Configuration Objects To Configuration Files
    • B.2.4. Configuration Objects File & REST Payload Formats
    • B.2.5. Accessing Configuration Objects Through the REST API
    • B.2.6. Accessing Configuration Objects Programmatically
    • B.2.7. Creating Objects
    • B.2.8. Updating Objects
    • B.2.9. Deleting Objects
    • B.2.10. Reading Objects
  • B.3. System Objects
  • B.4. Audit Objects
  • B.5. Links
• Appendix C. Synchronization Reference
  • C.1. Object-Mapping Objects
    • C.1.1. Property Objects
    • C.1.2. Policy Objects
      • C.1.2.1. Script Object
  • C.2. Links
  • C.3. Queries
  • C.4. Reconciliation
  • C.5. REST API
• Appendix D. REST API Reference
  • D.1. About ForgeRock Common REST
    • D.1.1. Common REST Resources
    • D.1.2. Common REST Verbs
    • D.1.3. Common REST Parameters
    • D.1.4. Common REST Extension Points
    • D.1.5. Common REST API Documentation
    • D.1.6. Create
    • D.1.7. Read
    • D.1.8. Update
    • D.1.9. Delete
    • D.1.10. Patch
      • D.1.10.1. Patch Operation: Add
      • D.1.10.2. Patch Operation: Copy
      • D.1.10.3. Patch Operation: Increment
      • D.1.10.4. Patch Operation: Move
      • D.1.10.5. Patch Operation: Remove
      • D.1.10.6. Patch Operation: Replace
      • D.1.10.7. Patch Operation: Transform
      • D.1.10.8. Patch Operation Limitations
    • D.1.11. Action
    • D.1.12. Query
    • D.1.13. HTTP Status Codes
  • D.2. Common REST and OpenIDM
  • D.3. URI Scheme
  • D.4. Object Identifiers
  • D.5. Content Negotiation
  • D.6. Conditional Operations
  • D.7. REST Endpoints and Sample Commands
    • D.7.1. Managing the Server Configuration Over REST
    • D.7.2. Managing Users Over REST
    • D.7.3. Managing System Objects Over REST
    • D.7.4. Managing Workflows Over REST
    • D.7.5. Managing Schedules Over REST
    • D.7.6. Managing Scanned Tasks Over REST
    • D.7.7. Accessing Log Entries Over REST
    • D.7.8. Managing Reconciliation Operations Over REST
    • D.7.9. Managing the Security Service Over REST
    • D.7.10. Managing the Repository Over REST
    • D.7.11. Managing Updates Over REST
    • D.7.12. Managing Social ID Providers Over REST
• Appendix E. Scripting Reference
  • E.1. Function Reference
    • E.1.1. openidm.create(resourceName, newResourceId, content, params, fields)
    • E.1.2. openidm.patch(resourceName, rev, value, params, fields)
    • E.1.3. openidm.read(resourceName, params, fields)
    • E.1.4. openidm.update(resourceName, rev, value, params, fields)
    • E.1.5. openidm.delete(resourceName, rev, params, fields)
    • E.1.6. openidm.query(resourceName, params, fields)
    • E.1.7. openidm.action(resource, actionName, content, params, fields)
    • E.1.8. openidm.encrypt(value, cipher, alias)
    • E.1.9. openidm.decrypt(value)
    • E.1.10. openidm.isEncrypted(object)
    • E.1.11. openidm.hash(value, algorithm)
    • E.1.12. openidm.isHashed(value)
    • E.1.13. openidm.matches(string, value)
    • E.1.14. Logging Functions
      • E.1.14.1. logger.debug(string message, object... params)
      • E.1.14.2. logger.error(string message, object... params)
      • E.1.14.3. logger.info(string message, object... params)
      • E.1.14.4. logger.trace(string message, object... params)
      • E.1.14.5. logger.warn(string message, object... params)
  • E.2. Places to Trigger Scripts
  • E.3. Variables Available to Scripts
    • E.3.1. Script Triggers Defined in managed.json
    • E.3.2. Script Triggers Defined in sync.json
    • E.3.3. Script Triggers Defined in router.json
    • E.3.4. The augmentSecurityContext Trigger
    • E.3.5. Variables Available to Role Assignment Scripts
    • E.3.6. The identityServer Variable
• Appendix F. Router Service Reference
  • F.1. Configuration
    • F.1.1. Filter Objects
      • F.1.1.1. Pattern Matching in the router​.json File
    • F.1.2. Script Execution Sequence
    • F.1.3. Script Scope
  • F.2. Example
  • F.3. Understanding the Request Context Chain
• Appendix G. Embedded Jetty Configuration
  • G.1. Using IDM Configuration Properties in the Jetty Configuration
    • G.1.1. Accessing Explicit Bean Properties
    • G.1.2. Accessing Generic Properties
  • G.2. Jetty Default Settings
  • G.3. Registering Additional Servlet Filters
  • G.4. Disabling and Enabling Secure Protocols
• Appendix H. Authentication and Session Module Configuration Details
  • H.1. OPENAM_SESSION Module Configuration Options
• Appendix I. Social ID Provider Configuration Details
  • I.1. Google Social ID Provider Configuration Details
  • I.2. LinkedIn Social ID Provider Configuration Details
  • I.3. Facebook Social ID Provider Configuration Details
  • I.4. Custom Social ID Provider Configuration Details
• Appendix J. Audit Log Reference
  • J.1. Audit Log Schema
    • J.1.1. Audit Event Topics
    • J.1.2. Commons Audit Event Topics
  • J.2. Audit Event Handler Configuration
• Appendix K. Release Levels & Interface Stability
  • K.1. ForgeRock Product Release Levels
  • K.2. ForgeRock Product Interface Stability
• Glossary
• Index