ForgeRock Identity Manager and Remote Connector Server

Sometimes it is necessary to seperate ForgeRock Identity Manager from being available on the Internet and accessing Internet based services such as Salesforce. So what can you do?

Well take a look at Remote Connector to discover the Framework used to host a Connector closer to the Edges of your networks.

The basic steps are

1. Configure Salesforce Connected App
2. Deploy a Remote Connector Server
3. Configure ForgeRock Identity Manager to use the instance created above.
4. Start synchronizing

Configure Salesforce Connected App

This article details how to configure a Connected App for use within this article.

Deploy a Remote Connector Server

For this we will create a Dockerfile, that adds the Salesforce Connector it.

Please Note: that you must have a registered account with ForgeRock Backstage to be able to have a license for using the Salesforce Connector and this is for Eductional Purpose only.

ARG FR_RCS_TAG=1.5.20.21
ARG FR_TAG=7.5.0

FROM gcr.io/forgerock-io/idm:${FR_TAG} as fr_idm_base

# Runtime deployment
FROM gcr.io/forgerock-io/rcs:${FR_RCS_TAG}

# Add the Salesforce Connector
COPY --from=fr_idm_base --chown=forgerock:forgerock /opt/openidm/connectors/salesforce-connector-1.5.20.21.jar 

You can then build and deploy into your private repository using the following

docker build . -t frq/rcs:1.5.20.21
docker push frq/rcs:1.5.20.21

Now we need to have this up and running and it is assumed you already have a instance running in Docker, named frq-idm

docker run -it --rm --name frq-idm --publish 8080:8080 frq/idm:7.5.0
docker run -it --rm --name frq-rcs --publish 8759:8759 frq/rcs:1.5.20.21

Configure ForgeRock Identity Manager

1. Create a file in you FRIM config directory provisioner.openicf.connectorinfoprovider.json with the following contents

   {
       "remoteConnectorServers": [
           {
               "name": "frq-rcs",
               "host": "frq-rcs",
               "port": 8759,
               "useSSL": false,
               "key": "changeit"
           }
       ]
   }

and restart your FRIM Instance.

1. Connect to your FRIM Admin Console.
2. Select Configure -> Connectors -> New Connector.
3. Provide the following details

Key	Value
Connector Name	Salesforce
Remote Host	frq-rcs
Connector Type	Salesforce Connector - 1.5.20.21
Login URL	Production
Consumer Key	<CONSUMER_KEY>
Consumer Secret	<CONSUMER_SECRET>
Grant Type	Refresh token

and click the Save button.

1. It will redirect to the Salesforce login screen if you are not logged in or come back to the ForgeRock Identity Manager Connector Screen.
2. Click on the Data tab and you will be able to get User data from Salesforce.

Alternative approach

An alternative approach is to create a file provisioner.openicf-Salesforce.json with the followinf conten

{
    "connectorRef": {
        "displayName": "Salesforce Connector",
        "bundleVersion": "1.5.20.21",
        "systemType": "provisioner.openicf",
        "bundleName": "org.forgerock.openicf.connectors.salesforce-connector",
        "connectorName": "org.forgerock.openicf.connectors.salesforce.SalesforceConnector",
        "connectorHostRef": ""
    },
    "poolConfigOption": {
        "maxObjects": 10,
        "maxIdle": 10,
        "maxWait": 150000,
        "minEvictableIdleTimeMillis": 120000,
        "minIdle": 1
    },
    "resultsHandlerConfig": {
        "enableNormalizingResultsHandler": false,
        "enableFilteredResultsHandler": false,
        "enableCaseInsensitiveFilter": false,
        "enableAttributesToGetSearchResultsHandler": true
    },
    "operationTimeout": {
        "CREATE": -1,
        "UPDATE": -1,
        "DELETE": -1,
        "TEST": -1,
        "SCRIPT_ON_CONNECTOR": -1,
        "SCRIPT_ON_RESOURCE": -1,
        "GET": -1,
        "RESOLVEUSERNAME": -1,
        "AUTHENTICATE": -1,
        "SEARCH": -1,
        "VALIDATE": -1,
        "SYNC": -1,
        "SCHEMA": -1
    },
    "configurationProperties": {
        "clientId": "<CONSUMER_KEY>",
        "clientSecret": "<CONSUMER_SECRET>",
        "grantType": "refresh_token",
        "refreshToken": "<REFRESH_TOKEN>,
        "loginUrl": "https://login.salesforce.com/services/oauth2/token",
        "instanceUrl": "https://<DEV_DF_HOSTNAME>.lightning.force.com/",
        "version": 48,
        "connectTimeout": 120000,
        "proxyHost": null,
        "proxyPort": 3128,
        "maximumConnections": 10,
        "supportedObjectTypes": [
            "User"
        ],
        "proxyUri": null,
        "proxyUsername": null,
        "proxyPassword": null,
        "supportedFeatureLicenses": [
            "UserPermissionsChatterAnswersUser",
            "UserPermissionsInteractionUser",
            "UserPermissionsKnowledgeUser",
            "UserPermissionsLiveAgentUser",
            "UserPermissionsMarketingUser",
            "UserPermissionsOfflineUser",
            "UserPermissionsSFContentUser",
            "UserPermissionsSupportUser",
            "UserPermissionsSiteforceContributorUser",
            "UserPermissionsSiteforcePublisherUser",
            "UserPermissionsWorkDotComUserFeature"
        ]
    },
    "enabled": true
}

Just remember to populate the values of

• <CONSUMER_KEY>
• <CONSUMER_SECRET>
• <REFRESH_TOKEN>
• <DEV_DF_HOSTNAME> With values collected when registering the Connected App using the instructions at https://dev.to/darkedges/salesforce-connected-app-57jd

Conclusion

In our next post we will look at how to reduce the data being loaded, as well as being able to populate User, Permission and Permission Set objects.