Monday, 27 June 2016

A Beginners Guide to OpenIDM - Part 1

This is the first in a series of blogs aiming to demystify OpenIDM, the Identity Management component of the ForgeRock platform.

I have actually been really impressed with OpenIDM and how much you can accomplish with it in a short time. It is fair to say though that if you are used to more traditional IDM technologies such as Oracle Identity Manager then it can take a bit of time to get your head around how OpenIDM works and how to get things done.

In the first of this series of tutorials I want to walkthrough a basic installation of OpenIDM, look at the architecture of the product and how everything fits together.

This blog continues my OpenIDM Beginners series, catch up with the links below:

A Beginners Guide to OpenIDM - Part 1
A Beginners Guide to OpenIDM - Part 2 - Objects
A Beginners Guide to OpenIDM - Part 3 - Connectors
A Beginners Guide to OpenIDM - Part 4 - Mappings
A Beginners Guide to OpenIDM - Part 5 - User Registration
A Beginners Guide to OpenIDM - Part 6 - Provisioning to Active Directory


OpenIDM is primarily concerned with the following functionality:
  • Objects and relationships: Quickly modelling complex objects, schemas and the relationships between them, e.g. for users, devices and things and exposing them as RESTful resources.
  • Data Synchronization: Moving data to and from systems such as Active Directory, databases, webservices and others, makes use of connectors and mappings to:
    • Create and update users and accounts in target systems i.e. pushing data to target systems from OpenIDM.
    • Reconcile users and accounts from target systems i.e. pulling data into OpenIDM from target systems.
    • Move data about users, devices and things to and from any other system.
  • Workflow Engine: processes such as request and approval of access to resources and much more.
  • Self Service: Enabling end users to easily and securely register accounts, retrieve forgotten passwords and manage their profiles.
  • Task Scheduling: Automating certain processes to run periodically.
All of this is built upon a consistent set of REST APIs with numerous hooks throughout the platform for scripting behaviors using Groovy or javascript.

OpenIDM also makes use of a data store into which it reads and writes:

  • Data for users, devices and things: e.g. actual user account data such as first_name=Wayne, last_name=Blacklock for all objects that OpenIDM is managing.
  • Linked account data: "Mirrored data" for the systems that OpenIDM has been integrated with. This enables you to view and manipulate all of a users account data across all systems from OpenIDM.
  • Various pieces of state relating to workflow, scheduling and other functionality
Finally, all of the OpenIDM's config is stored as .json files locally per deployment.

Logical Architecture

The diagram below aims to give you a bit of an overview of how OpenIDM fits together. We will explore each major component in detail with worked examples over the next few months.

Getting Started

This blog series is intended to be a practical introduction to OpenIDM so the first thing we need to do is download and install it.

If you already have a ForgeRock Backstage subscription you can download IDM from there. Otherwise you need to register for the evaluation version:

Note: For now we are going to use the embedded OpenIDM OrientDB database, rather than install an external database. The OrientDB database ships with OpenIDM and is ready to go right from the start however please note it is not suitable for production deployments. We will cover the usage of another database for enterprise deployments later in the series.

Download and unzip OpenIDM to a directory. Make sure you have Java installed, configured and available from the command line.

To start up OpenIDM simply type:

Linux: ./
Windows: startup.bat

That's it! By default OpenIDM runs on port 8080. You can them navigate to the interfaces at:

You'll note both pages look similar, but one is for users and one is for admins.

The default username and password for the administrator is openidm-admin / openidm-admin.

Log into the administrator interface, once you have logged in you should see the dashboard:

Over the rest of this series we will explore the functionality of OpenIDM in detail.


  1. Hi Wayne,
    Can you do a piece on Certifications in OpenIDM.

    1. Hi duke. IDM is not built for certification OOTB however with workflow limited certification can be achieved. It really depends on what your requirements are.

  2. It's not running on localhost:8080 . Kindly let me know how the solution