{"id":5980,"date":"2012-09-17T12:28:50","date_gmt":"2012-09-17T17:28:50","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=5980"},"modified":"2012-10-11T14:40:51","modified_gmt":"2012-10-11T19:40:51","slug":"openidm-integration","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=5980","title":{"rendered":"OpenIDM 2.1 Integration Guide"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tArchitectural Overview<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tModular Framework<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tInfrastructure Modules<\/a>\n\t\t\t<\/li>\n\t\t\t
    3. \n\t\t\t\tCore Services<\/a>\n\t\t\t\t
        \n\t\t\t\t\t
      1. \n\t\t\t\t\t\tObject model<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
      2. \n\t\t\t\t\t\tManaged objects<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
      3. \n\t\t\t\t\t\tSystem Objects<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
      4. \n\t\t\t\t\t\tMappings<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
      5. \n\t\t\t\t\t\tSynchronization and Reconciliation<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
      6. \n\t\t\t\tAccess Layer<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
      7. \n\t\tConfiguration Options<\/a>\n\t\t
          \n\t\t\t
        1. \n\t\t\t\tConfiguration Objects<\/a>\n\t\t\t\t
            \n\t\t\t\t\t
          1. \n\t\t\t\t\t\tSingle Instance Configuration Objects<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
          2. \n\t\t\t\t\t\tMultiple Instance Configuration Objects<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
          3. \n\t\t\t\tConfiguration Over REST<\/a>\n\t\t\t<\/li>\n\t\t\t
          4. \n\t\t\t\tProperty Substitution in Configuration<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
          5. \n\t\tConfigure Server Logs<\/a>\n\t<\/li>\n\t
          6. \n\t\tConnect to External Resources<\/a>\n\t\t
              \n\t\t\t
            1. \n\t\t\t\tAccessing Remote Connectors<\/a>\n\t\t\t<\/li>\n\t\t\t
            2. \n\t\t\t\tConfigure Connectors<\/a>\n\t\t\t<\/li>\n\t\t\t
            3. \n\t\t\t\tConnector Configuration Examples<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
            4. \n\t\tConfiguring Synchronization<\/a>\n\t\t
                \n\t\t\t
              1. \n\t\t\t\tTypes of Synchronization<\/a>\n\t\t\t\t
                  \n\t\t\t\t\t
                1. \n\t\t\t\t\t\tReconciliation<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                2. \n\t\t\t\t\t\tLiveSync<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                3. \n\t\t\t\tFlexible Data Model<\/a>\n\t\t\t<\/li>\n\t\t\t
                4. \n\t\t\t\tBasic Data Flow Configuration<\/a>\n\t\t\t\t
                    \n\t\t\t\t\t
                  1. \n\t\t\t\t\t\tConnector Configuration Files<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                  2. \n\t\t\t\t\t\tSynchronization Mappings File<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                  3. \n\t\t\t\t<\/a>\n\t\t\t\t
                      \n\t\t\t\t\t
                    1. \n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                    2. \n\t\t\t\t<\/a>\n\t\t\t<\/li>\n\t\t\t
                    3. \n\t\t\t\t<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
                    4. \n\t\tScheduling Synchronization<\/a>\n\t<\/li>\n\t
                    5. \n\t\tManaging Passwords<\/a>\n\t\t
                        \n\t\t\t
                      1. \n\t\t\t\tEnforcing Password Policies<\/a>\n\t\t\t<\/li>\n\t\t\t
                      2. \n\t\t\t\tPassword Synchronization<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
                      3. \n\t\tManaging Authentication, Authorization & RBAC<\/a>\n\t\t
                          \n\t\t\t
                        1. \n\t\t\t\tOpenIDM Users<\/a>\n\t\t\t\t
                            \n\t\t\t\t\t
                          1. \n\t\t\t\t\t\tInternal Users<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                          2. \n\t\t\t\t\t\tManaged Users<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n<\/ol>\n\t\t\t
                          3. \n\t\t\t\tAuthentication<\/a>\n\t\t\t\t
                              \n\t\t\t\t\t
                            1. \n\t\t\t\t\t\tDefault Attributes<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                            2. \n\t\t\t\t\t\tAuthentication<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                            3. \n\t\t\t\t\t\tRoles<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                            4. \n\t\t\t\t\t\tAuthorization<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                            5. \n\t\t\t\tSecuring & Hardening OpenIDM<\/a>\n\t\t\t<\/li>\n\t\t\t
                            6. \n\t\t\t\tIntegrating Business Processes & Workflows<\/a>\n\t\t\t\t
                                \n\t\t\t\t\t
                              1. \n\t\t\t\t\t\tRemote Integration<\/a>\n\t\t\t\t\t\t
                                  \n\t\t\t\t\t\t\t
                                1. \n\t\t\t\t\t\t\t\tCheckout Trunk<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
                                2. \n\t\t\t\t\t\t\t\tCompile and Package Source Codes<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
                                3. \n\t\t\t\t\t\t\t\tInstall OpenIDM<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
                                4. \n\t\t\t\t\t\t\t\tInstall Activiti<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
                                5. \n\t\t\t\t\t\t\t\tDeploy OpenIDM Workflow to Activiti Tomcat<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
                                6. \n\t\t\t\t\t\t\t\tConfigure OpenIDM to use Remote Activiti<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t\t
                                7. \n\t\t\t\t\t\t\t\tInstall the sample workflow (example.bpmn20.xml) from the openidm-workflow-activiti project<\/a>\n\t\t\t\t\t\t\t<\/li>\n\t\t\t\t\t\t<\/ol>\n\t\t\t\t\t
                                8. \n\t\t\t\t\t\tLocal Activiti Integration<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                                9. \n\t\t\t\t\t\tConfigure Activiti Engine<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                                10. \n\t\t\t\t\t\tDefine Activiti Workflows<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                                11. \n\t\t\t\t\t\tInvoking Activiti Workflows<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                                12. \n\t\t\t\t\t\tEmail Notification Example<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                                13. \n\t\t\t\t\t\tExample Sunset Workflow Triggered By Reconciliation<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                                14. \n\t\t\t\tSending Email<\/a>\n\t\t\t\t
                                    \n\t\t\t\t\t
                                  1. \n\t\t\t\t\t\tSetup Outbound Email<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                                  2. \n\t\t\t\t\t\tSend mail from REST<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
                                  3. \n\t\t\t\t\t\tSending Mail from Script<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                                  4. \n\t\t\t\tErrors<\/a>\n\t\t\t\t
                                      \n\t\t\t\t\t
                                    1. \n\t\t\t\t\t\taction method not implemented on workflow<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
                                    2. \n\t\t\t\tReferences<\/a>\n\t\t\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
                                       <\/div>\n

                                      Architectural Overview<\/h2><\/span>\n
                                      \"\"<\/a><\/h6><\/span>\n

                                      Modular Framework<\/h3><\/span>\n

                                      * OSGi (Felix)
                                      \n* Servlet (Jetty)<\/p>\n

                                      Infrastructure Modules<\/h3><\/span>\n

                                      * Scheduler (Quartz)
                                      \n* Script engine (JavaScript)
                                      \n* Audit logging
                                      \n* Repository
                                      \n– MySQL for production use
                                      \n– OrientDB for evaluation use
                                      \n– Repository API is based on JSON object model and RESTful Web Services<\/p>\n

                                      Core Services<\/h3><\/span>\n

                                      Object model<\/h4><\/span>\n

                                      * Java based object model
                                      \n* Java object model represents of JSON object model
                                      \n* Also exposes a set of triggers and functions for scripting hookups<\/p>\n

                                      Managed objects<\/h4><\/span>\n

                                      * They are identity related data managed by OpenIDM
                                      \n* Configurable, JSON based data structure living the repository
                                      \n* Default configuration of a manged object is that of a user<\/em>
                                      \n* Can be access via \/openidm\/managed\/<\/em> context<\/p>\n

                                      \r\ncurl\r\n  --header \"X-OpenIDM-Username: openidm-admin\"\r\n  --header \"X-OpenIDM-Password: openidm-admin\"\r\n  --request GET\r\n  \"http:\/\/localhost:8080\/openidm\/managed\/...\"\r\n<\/pre>\n
                                      System Objects<\/h4><\/span>\n
                                      * They are pluggable representations of objects on external systems, e.g. a user entry stored in external<\/strong> LDAP.
                                      \n* Can be access via \/openidm\/system\/<\/em> context<\/p>\n
                                      \r\ncurl\r\n  --header \"X-OpenIDM-Username: openidm-admin\"\r\n  --header \"X-OpenIDM-Password: openidm-admin\"\r\n  --request GET\r\n  \"http:\/\/localhost:8080\/openidm\/system\/...\"\r\n<\/pre>\n
                                      Mappings<\/h4><\/span>\n
                                      * Mappings define policies between source and target objects and their attributes during synchronization and reconciliation
                                      \n* Can also define triggers for validation, customization, filtering, and transformation of source and target objects<\/p>\n
                                      Synchronization and Reconciliation<\/h4><\/span>\n
                                      Access Layer<\/h3><\/span>\n
                                      * Provides UI and public APIs (RESTful) for accessing and managing OpenIDM repository and its functions<\/p>\n
                                      Configuration Options<\/h2><\/span>\n
                                      Configuration Objects<\/h3><\/span>\n
                                      * Exposed as JSON objects
                                      \n* Can be either single instance (one per installation) or multiple instances (more than one per installation)<\/p>\n
                                      Single Instance Configuration Objects<\/h4><\/span>\n
                                      * audit<\/em>: specifies how audit events are logged
                                      \n* authentication<\/em>: controls REST access
                                      \n* managed<\/em>: defines managed objects and their schemas
                                      \n* repo.repo-type<\/em>: configures internal repository, e.g. repo.orientd<\/em>b or repo.jdbc<\/em>
                                      \n* router<\/em>: specifies filters for specific operations
                                      \n* sync<\/em>: defines all sync and reconciliation mappings<\/p>\n
                                      Multiple Instance Configuration Objects<\/h4><\/span>\n
                                      * Naming: objectname\/instancename<\/em>, e.g. provisioner.openicf\/xml<\/em>
                                      \n* JSON file views are named: objectname-instancename.json<\/em>, e.g. provisioner.openicf-xml.json<\/em><\/p>\n
                                      Configuration Over REST<\/h3><\/span>\n
                                      * Configuration objects are exposed under \/openidm\/config<\/em> context
                                      \n* Single instance objects are under \/openidm\/config\/objectname<\/em> context
                                      \n* Multiple instance objects are under \/openidm\/config\/objectname\/instancename<\/em> context<\/p>\n
                                      \r\n# List all configuration objects:\r\ncurl --request GET \\\r\n --header \"X-OpenIDM-Username: openidm-admin\" \\\r\n --header \"X-OpenIDM-Password: openidm-admin\" http:\/\/localhost:8080\/openidm\/config\r\n\r\n# List single instance audit configuration object:\r\ncurl \\\r\n --header \"X-OpenIDM-Username: openidm-admin\" \\\r\n --header \"X-OpenIDM-Password: openidm-admin\" http:\/\/localhost:8080\/openidm\/config\/audit\r\n\r\n# List multiple instance configuration object:\r\ncurl \\\r\n --header \"X-OpenIDM-Username: openidm-admin\" \\\r\n --header \"X-OpenIDM-Password: openidm-admin\" http:\/\/localhost:8080\/openidm\/config\/provisioner.openicf\/xml\r\n<\/pre>\n
                                      Property Substitution in Configuration<\/h3><\/span>\n
                                      * Define properties in conf\/boot.properties<\/em>. For example:<\/p>\n
                                      \r\nPROD.location=production\r\nDEV.location=development\r\n<\/pre>\n
                                      * Use Property in configuration files with &{} construct. For example, repo.orientdb.json:<\/p>\n
                                      \r\n{\r\n\"dbUrl\" : \"local:.\/db\/&{&{environment}.location}-openidm\",\r\n\"user\" : \"admin\",\r\n\"poolMinSize\" : 5,\r\n\"poolMaxSize\" : 20,\r\n...\r\n}\r\n<\/pre>\n
                                      * Property “environment” is further defined in environment variables:<\/p>\n
                                      \r\n# For DEV environment:\r\nexport OPENIDM_OPTS=\"-Xmx1024m -Denvironment=PROD\"\r\n.\/startup.sh\r\n\r\n# For PROD environment:\r\nexport OPENIDM_OPTS=\"-Xmx1024m -Denvironment=DEV\"\r\n.\/startup.sh\r\n<\/pre>\n
                                      * Java system properties can also be used. For example:<\/p>\n
                                      \r\n{\r\n    \"logTo\" : [\r\n        {\r\n            \"logType\" : \"csv\",\r\n            \"location\" : \"&{user.home}\/audit\",\r\n            \"recordDelimiter\" : \";\"\r\n        }\r\n    ]\r\n}\r\n<\/pre>\n
                                      * Also supports nested properties
                                      \n* Does not<\/strong> support encrypted values at this time<\/p>\n
                                      Configure Server Logs<\/h2><\/span>\n
                                      * Server logging can be configured in openidm\/conf\/logging.properties<\/em>
                                      \n* Logging levels<\/p>\n
                                      \r\nSEVERE\r\nWARNING\r\nINFO\r\nCONFIG\r\nFINE\r\nFINER\r\nFINEST\r\n<\/pre>\n
                                      * Set logging level in individual script:<\/p>\n
                                      \r\norg.forgerock.openidm.script.javascript.JavaScript.level=level\r\n<\/pre>\n
                                      * Override log level defined in individual script:<\/p>\n
                                      \r\norg.forgerock.openidm.script.javascript.JavaScript.script-name.level=level\r\n<\/pre>\n
                                      Connect to External Resources<\/h2><\/span>\n
                                      * Resources are
                                      \n– external systems
                                      \n– databases
                                      \n– directory servers
                                      \n– other sources of identity data
                                      \nto be managed and audited by an idM
                                      \n* OpenIDM connects to external resources through OpenICF<\/em> which can be either standalone or embedded
                                      \n* Connectors are configured through files named openidm\/conf\/provisioner.openicf-connectorname<\/em>
                                      \n* Sample connectors are located in openidm\/samples\/provisioners<\/em> directory (copy them to conf directory to use)<\/p>\n
                                      \"\"<\/a><\/h6><\/span>\n
                                      Accessing Remote Connectors<\/h3><\/span>\n
                                      * Configure remote connectors in conf\/provisioner.openicf.connectorinfoprovider.json<\/em>
                                      \n* See sample file in conf\/provisioner<\/em> directory<\/p>\n
                                      \r\ncat provisioner.openicf.connectorinfoprovider.jsn \r\n{\r\n   \"connectorsLocation\" : \"connectors\",\r\n   \"remoteConnectorServers\" :\r\n      [\r\n         {\r\n            \"name\" : \"dotnet\",\r\n            \"host\" : \"127.0.0.1\",\r\n            \"port\" : 8759,\r\n            \"useSSL\" : false,\r\n            \"timeout\" : 0,\r\n            \"key\" : \"Passw0rd\"\r\n         }\r\n      ]\r\n}\r\n<\/pre>\n
                                      Configure Connectors<\/h3><\/span>\n
                                      * Via OpenICF provisioner service
                                      \n* Each connector configuration is stored in a file in the conf<\/em> directory named provisioner.openicf-connectorname<\/em><\/p>\n
                                      Connector Configuration Examples<\/h3><\/span>\n
                                      Configuring Synchronization<\/h2><\/span>\n
                                      Types of Synchronization<\/h3><\/span>\n
                                      * Synchronization happens when
                                      \n– OpenIDM receives a change directly: OpenIDM pushes changes immediately to all external resources
                                      \n– OpenIDM discovers a change on an external resource: through reconciliation and LiveSync<\/p>\n
                                      Reconciliation<\/h4><\/span>\n
                                      * Bidirectional synchronization of objects (mainly user objects) between different data stores
                                      \n* Thorough and heavy weight
                                      \n* Good for compliance and reports<\/p>\n
                                      LiveSync<\/h4><\/span>\n
                                      * Relies on change log on the external resource (e.g. OpenDJ and AD) to determine which object has changed
                                      \n* Light weight
                                      \n* Might miss some changes<\/p>\n
                                      Flexible Data Model<\/h3><\/span>\n
                                      Basic Data Flow Configuration<\/h3><\/span>\n
                                      * Elements involved:
                                      \n– Three types of configuration files
                                      \n– A link table that OpenIDM maintains in its repository
                                      \n– Scripts to check objects and manipulate attributes<\/p>\n
                                      Connector Configuration Files<\/h4><\/span>\n
                                      * Maps external resource objects to OpenIDM objects
                                      \n* Lives in conf<\/em> directory
                                      \n* Naming convention is provisioner.resource-name.json<\/em>, e.g. provisioner.openicf-xml.json
                                      \n* Mapping naming conventions:
                                      \n– nativeName<\/em>: external attribute name
                                      \n– nativeType<\/em>: external attribute type<\/p>\n
                                      \r\n{\r\n    \"name\": \"MyLDAP\",\r\n    \"objectTypes\": {\r\n        \"account\": {\r\n            \"lastName\": {\r\n                \"type\": \"string\",\r\n                \"required\": true,\r\n                \"nativeName\": \"sn\",\r\n                \"nativeType\": \"string\"\r\n            },\r\n            \"homePhone\": {\r\n                \"type\": \"array\",\r\n                \"items\": {\r\n                    \"type\": \"string\",\r\n                    \"nativeType\": \"string\"\r\n                },\r\n                \"nativeName\": \"homePhone\",\r\n                \"nativeType\": \"string\"\r\n            }\r\n        }\r\n    }\r\n}\r\n<\/pre>\n
                                      Synchronization Mappings File<\/h4><\/span>\n
                                      * Single file: conf\/sync.json<\/em>
                                      \n* Describes a set of mappings
                                      \n– Each mapping specifies attribute mapping from source to target objects (i.e. directional from source to target)
                                      \n– External objects are identified as system\/name\/object-type<\/em>
                                      \n* By default, synchronize all objects matching those defined in the connector config file for the resource
                                      \n* Can also do
                                      \n– creating new attribute
                                      \n– conditional sync
                                      \n– transformation<\/p>\n
                                      \r\n{\r\n    \"mappings\": [\r\n        {\r\n            \"name\": \"systemLdapAccounts_managedUser\",\r\n            \"source\": \"system\/MyLDAP\/account\",\r\n            \"target\": \"managed\/user\",\r\n            \"properties\": [\r\n                {\r\n                    \"target\": \"familyName\",\r\n                    \"source\": \"lastName\"\r\n                },\r\n                {\r\n                    \"target\": \"homePhone\",\r\n                    \"source\": \"homePhone\"\r\n                },\r\n                \/* Creates a new attribute on the target name phoneExtension with default value of 0047 *\/\r\n                {\r\n                    \"target\": \"phoneExtension\",\r\n                    \"default\": \"0047\"\r\n                },\r\n                \/* Sync conditionally (only if source email is not null) *\/\r\n                {\r\n                    \"target\": \"mail\",\r\n                    \"comment\": \"Set mail if non-empty.\",\r\n                    \"source\": \"email\",\r\n                    \"condition\": {\r\n                        \"type\": \"text\/javascript\",\r\n                        \"source\": \"(source.email != null)\"\r\n                    }\r\n                },\r\n                \/* Create a new target attribute named displayName *\/\r\n                {\r\n                    \"target\": \"displayName\",\r\n                    \"source\": \"\";\r\n                    \"transform\": {\r\n                        \"type\": \"text\/javascript\",\r\n                        \"source\": \"(source.lastName +', ' + source.firstName;)\"\r\n                    }\r\n                }\r\n            ]\r\n        }\r\n    ]\r\n}\r\n<\/pre>\n
                                      * Filters to determine if source of target is valid to be mapped
                                      \n– validSource<\/p>\n
                                      \r\n{\r\n    \"validSource\": {\r\n        \"type\": \"text\/javascript\",\r\n        \"source\": \"source.ldapPassword != null\"\r\n    }\r\n}\r\n<\/pre>\n
                                      – validTarget<\/p>\n
                                      \r\n{\r\n    \"validTarget\": {\r\n        \"type\": \"text\/javascript\",\r\n        \"source\": \"target.employeeType == 'internal'\"\r\n    }\r\n}\r\n<\/pre>\n
                                      <\/h3><\/span>\n
                                      <\/h4><\/span>\n
                                      <\/h3><\/span>\n
                                      <\/h3><\/span>\n
                                      Scheduling Synchronization<\/h2><\/span>\n
                                      Managing Passwords<\/h2><\/span>\n
                                      Enforcing Password Policies<\/h3><\/span>\n
                                      * By applying validation rules to attributes of managed user objects
                                      \n* For example, to exclude the use of password strings: ‘password’,’123456′,’12345678′, ‘qwerty’, ‘abc123’:
                                      \n– In conf\/managed.json<\/em> file:<\/p>\n
                                      \r\n{\r\n    \"objects\" : [\r\n        {\r\n            \"name\" : \"user\",\r\n            \"properties\" : [\r\n                {\r\n                    \"name\" : \"password\",\r\n                    \"encryption\" : {\r\n                        \"key\" : \"openidm-sym-default\"\r\n                    }\r\n                }\r\n            ],\r\n            \"onValidate\" : {\r\n                \"type\" : \"text\/javascript\",\r\n                \"file\" : \"script\/password-validator.js\"\r\n            }\r\n        }\r\n    ]\r\n}\r\n<\/pre>\n
                                      – Password validation file (script\/password-validator.js<\/em>)<\/p>\n
                                      \r\nconst dictionary = ['password','123456','12345678', 'qwerty', 'abc123'];\r\n \r\nfunction isValidPassword() {\r\n    var cleartextObject = openidm.decrypt(object);\r\n    for (var i = 0; i < dictionary.length; i++) {\r\n        if (cleartextObject.password == dictionary[i]) {\r\n            throw \"Password Policy Violation Exception\";\r\n        };\r\n    };\r\n};\r\n \r\nisValidPassword();\r\n<\/pre>\n
                                      Password Synchronization<\/h3><\/span>\n
                                      Managing Authentication, Authorization & RBAC<\/h2><\/span>\n
                                      OpenIDM Users<\/h3><\/span>\n
                                      Internal Users<\/h4><\/span>\n
                                      * anonymous<\/em>: for self registration. Default password is anonymous<\/em>
                                      \n* openidm-admin<\/em>: super user. Default password is openidm-admin<\/em><\/p>\n
                                      Managed Users<\/h4><\/span>\n
                                      * Users managed by OpenIDM<\/p>\n
                                      Authentication<\/h2><\/span>\n
                                      Default Attributes<\/h3><\/span>\n
                                      * login: email
                                      \n* password: password
                                      \n* Default attributes are defined in conf\/repo.repotype.json<\/em> file, e.g. repo.orientdb.json<\/em>
                                      \n- credential-internaluser-query
                                      \n- credential-query<\/p>\n
                                      \r\n        \"credential-query\" : \"SELECT * FROM ${_resource} WHERE userName = '${username}'\",\r\n        \"credential-internaluser-query\" : \"SELECT * FROM internal_user WHERE _openidm_id = ${username}\",\r\n<\/pre>\n
                                      * Authentication file conf\/authentication.json<\/em> defines currently active query <\/p>\n
                                      \r\ncat authentication.json \r\n{\r\n    \"queryId\" : \"credential-query\",\r\n    \"queryOnResource\" : \"managed\/user\",\r\n    \"propertyMapping\" : {\r\n        \"userId\" : \"_id\",\r\n        \"userCredential\" : \"password\",\r\n        \"userRoles\" : \"roles\"\r\n    },\r\n    \"defaultUserRoles\" : [ ]\r\n}\r\n<\/pre>\n
                                      Authentication<\/h3><\/span>\n
                                      * With standard header fields:<\/p>\n
                                      \r\ncurl --user userName:password\r\n<\/pre>\n
                                      * With OpenIDM header fields:<\/p>\n
                                      \r\ncurl\r\n --header \"X-OpenIDM-Username: openidm-admin\"\r\n --header \"X-OpenIDM-Password: openidm-admin\"\r\n<\/pre>\n
                                      Roles<\/h3><\/span>\n
                                      * openidm-reg: anonymous user
                                      \n* openidm-admin: super user
                                      \n* openidm-authorized: authenticated users.
                                      \n- Configured by defaultUserRoles<\/em> property in the conf\/authentication.json<\/em> file:<\/p>\n
                                      \r\ncat authentication.json \r\n{\r\n    \"queryId\" : \"credential-query\",\r\n    \"queryOnResource\" : \"managed\/user\",\r\n    \"propertyMapping\" : {\r\n        \"userId\" : \"_id\",\r\n        \"userCredential\" : \"password\",\r\n        \"userRoles\" : \"roles\"\r\n    },\r\n    \"defaultUserRoles\" : [ ]\r\n}\r\n<\/pre>\n
                                      * openidm-cert: authenticated by mutual SSL authentication<\/p>\n
                                      Authorization<\/h3><\/span>\n
                                      * Based on REST interface URLs
                                      \n* Defined in script\/router-authz.js<\/em> file
                                      \n- Return \"Access denied\"<\/em> to deny access:<\/p>\n
                                      \r\nif (!allow()) {\r\n    throw \"Access denied\";\r\n}\r\n<\/pre>\n
                                      Securing & Hardening OpenIDM<\/h2><\/span>\n
                                      TODO<\/p>\n
                                      Integrating Business Processes & Workflows<\/h2><\/span>\n
                                      * Two modes of integration
                                      \n- Local integration: Activiti is embedded in OpenIDM OSGI container
                                      \n- Remote integration: Standalone Activiti engine<\/p>\n
                                      Remote Integration<\/h3><\/span>\n
                                      Checkout Trunk<\/h4><\/span>\n
                                      * Checkout OpenIDM trunk from SVN URL: https:\/\/svn.forgerock.org\/openidm\/trunk<\/em><\/p>\n
                                      \"\"<\/a><\/h6><\/span>\n
                                      Compile and Package Source Codes<\/h4><\/span>\n
                                      * Install Maven 3 if not already done
                                      \n* Run Maven command:<\/p>\n
                                      \r\nmvn package\r\n<\/pre>\n
                                      Install OpenIDM<\/h4><\/span>\n
                                      * Copy openidm-zip\/target\/openidm-2.1.0-SNAPSHOT<\/em> to target machine
                                      \n* Unzip<\/p>\n
                                      Install Activiti<\/h4><\/span>\n
                                      * Download and unzip activiti-5.10.zip<\/em>
                                      \n* Change Activiti listening port from 8080<\/em> to 9090<\/em>
                                      \n- Edit setup\/build.xml and do a global replacement of 8080 to 9090 with vi command: :%s\/8080\/9090\/g<\/em>
                                      \n* Start Activiti demo app:<\/p>\n
                                      \r\nant demo.start\r\n<\/pre>\n
                                      * Access Activiti Explorer from URL: http:\/\/localhost:9090\/activiti-explorer<\/a><\/p>\n
                                      Deploy OpenIDM Workflow to Activiti Tomcat<\/h4><\/span>\n
                                      * Stop Tomcat<\/p>\n
                                      \r\nant tomcat.stop\r\n<\/pre>\n
                                      * Deploy openidm-workflow-remote web app to Tomcat by copying openidm-workflow-remote\/target\/openidm-workflow-remote-2.1.0-SNAPSHOT.war<\/em> to Tomcat webapps<\/em> directory:<\/p>\n
                                      \r\n$ cd \/opt\/openidm\/builtFromSrc\/activiti-5.10\/apps\/apache-tomcat-6.0.32\/webapps\r\n$ pwd\r\n\/opt\/openidm\/builtFromSrc\/activiti-5.10\/apps\/apache-tomcat-6.0.32\/webapps\r\n$ ls\r\nactiviti-explorer  activiti-rest  docs  examples  host-manager  manager  ROOT\r\n$ cp \/mnt\/hgfs\/vmshare\/src\/openidm-workflow-remote-2.1.0-SNAPSHOT.war .\r\n<\/pre>\n
                                      * Deploy openidm workflow activiti jar file to activiti-explorer web app's WEB-INF\/lib directory<\/p>\n
                                      \r\n$ cd \/opt\/openidm\/builtFromSrc\/activiti-5.10\/apps\/apache-tomcat-6.0.32\/webapps\/activiti-explorer\/WEB-INF\/lib\r\n$ pwd\r\n\/opt\/openidm\/builtFromSrc\/activiti-5.10\/apps\/apache-tomcat-6.0.32\/webapps\/activiti-explorer\/WEB-INF\/lib\r\n$ cp \/mnt\/hgfs\/vmshare\/src\/openidm-workflow-activiti-2.1.0-SNAPSHOT-jar-with-dependencies.jar .\r\n<\/pre>\n
                                      * Edit Activiti Explorer config file to be able to use OpenIDM extenstions <\/p>\n
                                      \r\n$ cd \/opt\/openidm\/builtFromSrc\/activiti-5.10\/apps\/apache-tomcat-6.0.32\/webapps\/activiti-explorer\/WEB-INF\r\n$ pwd\r\n\/opt\/openidm\/builtFromSrc\/activiti-5.10\/apps\/apache-tomcat-6.0.32\/webapps\/activiti-explorer\/WEB-INF\r\n$ ls\r\nactiviti-ui-context.xml  applicationContext.xml  classes  lib  web.xml\r\n$ vi applicationContext.xml \r\n<\/pre>\n
                                      - Replace<\/p>\n
                                      \r\n\r\n \r\n \r\n \r\n \r\n \r\n  \r\n   \r\n  <\/list>\r\n <\/property>\r\n<\/bean>\r\n<\/pre>\n
                                      with<\/p>\n
                                      \r\n\r\n   \r\n      \r\n   \r\n      \r\n   \r\n  \r\n  \r\n  \r\n  \r\n  \r\n  \r\n       \r\n      <\/list>\r\n     <\/property>\r\n  \r\n  \r\n       \r\n  \r\n  \r\n  \r\n       <\/bean>\r\n     <\/list>\r\n   <\/property>\r\n  \r\n  \r\n       <\/bean>\r\n       <\/bean>\r\n       <\/bean>\r\n     <\/list>\r\n   <\/property>\r\n  \r\n      <\/bean>\r\n   <\/property>\r\n<\/bean>\r\n<\/pre>\n
                                      * Restart Activiti Demo:<\/p>\n
                                      \r\ncd $ACTIVITI_HOME\/setup\r\nant demo.stop\r\nant demo.start\r\n<\/pre>\n
                                      * Check that Activiti Explorer is accessible.<\/p>\n
                                      Configure OpenIDM to use Remote Activiti<\/h4><\/span>\n
                                      * Copy sample workflow.json<\/em> file to conf<\/em> directory if none exists:<\/p>\n
                                      \r\ncd $OPENIDM_HOME\r\ncp samples\/misc\/workflow.json conf\/\r\n<\/pre>\n
                                      * Edit workflow.json file to point to remote Activiti instance with correct username and password (i.e. kermit<\/em>\/kermit<\/em>)<\/p>\n
                                      \r\n{\r\n    \"enabled\" : true,\r\n    \"location\" : \"remote\",\r\n    \"engine\" : {\r\n        \"url\" : \"http:\/\/localhost:9090\/openidm-workflow-remote-2.1.0-SNAPSHOT\/\",\r\n        \"username\" : \"kermit\",\r\n        \"password\" : \"kermit\"\r\n    },\r\n<\/pre>\n
                                      * Start OpenIDM<\/p>\n
                                      \r\ncd $OPENIDM_HOME\r\n.\/startup.sh\r\n<\/pre>\n
                                      * Test integration:<\/p>\n
                                      \r\ncurl \\\r\n  --header \"X-OpenIDM-Username: openidm-admin\" \\\r\n  --header \"X-OpenIDM-Password: openidm-admin\" \\\r\n  --request GET \"http:\/\/localhost:8080\/openidm\/workflow\"\r\n\r\n{\"result\":[{\"name\":\"Vacation request\",\"processDefinitionId\":\"vacationRequest:1:21\",\"key\":\"vacationRequest\"},{\"name\":\"Helpdesk process\",\"processDefinitionId\":\"escalationExample:1:22\",\"key\":\"escalationExample\"},{\"name\":\"Review sales lead\",\"processDefinitionId\":\"reviewSaledLead:1:23\",\"key\":\"reviewSaledLead\"},{\"name\":\"Fix system failure\",\"processDefinitionId\":\"fixSystemFailure:1:24\",\"key\":\"fixSystemFailure\"},{\"name\":\"Expense process\",\"processDefinitionId\":\"adhoc_Expense_process:1:25\",\"key\":\"adhoc_Expense_process\"}]}\r\n<\/pre>\n
                                      Install the sample workflow (example.bpmn20.xml) from the openidm-workflow-activiti project<\/h4><\/span>\n
                                      * Login remote Activiti Explorer as kermit\/kermit
                                      \n* Select Manage > Deployment > Upload New<\/em> <\/p>\n
                                      \"\"<\/a><\/h6><\/span>\n
                                      * Browse to file openidm-workflow-activiti\/src\/main\/resources\/OSGI-INF\/activiti\/example.bpmn20.xml<\/em>
                                      \n* Start osgiProcess<\/em> from REST API:<\/p>\n
                                      \r\ncurl \\\r\n\t--header \"X-OpenIDM-Username: openidm-admin\" \\\r\n\t--header \"X-OpenIDM-Password: openidm-admin\" \\\r\n\t--request POST \"http:\/\/localhost:8080\/openidm\/workflow\/processinstance?_action=createProcessInstance\" \\\r\n\t--data '{ \"key\":\"osgiProcess\" }'\r\n\r\n{\"_id\":\"1010\",\"processInstanceId\":\"1010\",\"status\":\"ended\",\"businessKey\":null,\"processDefinitionId\":\"osgiProcess:1:915\"}\r\n<\/pre>\n
                                      - Also check Activiti Tomcat catalina.out for osgiProcess related outputs:<\/p>\n
                                      \r\n$ pwd\r\n\/opt\/openidm\/builtFromSrc\/activiti-5.10\/apps\/apache-tomcat-6.0.32\/logs\r\n$ vi catalina.out\t\r\n\r\nscript task using expression resolver: [result:[[name:Vacation request, processDefinitionId:vacationRequest:1:21, key:vacationRequest], [name:Helpdesk process, processDefinitionId:escalationExample:1:22, key:escalationExample], [name:Review sales lead, processDefinitionId:reviewSaledLead:1:23, key:reviewSaledLead], [name:Fix system failure, processDefinitionId:fixSystemFailure:1:24, key:fixSystemFailure], [name:Expense process, processDefinitionId:adhoc_Expense_process:1:25, key:adhoc_Expense_process], [name:Osgi process, processDefinitionId:osgiProcess:1:915, key:osgiProcess]]]\r\n<\/pre>\n
                                      * Alternatively, start osgiProcess<\/em> from Activiti Explorer:<\/p>\n
                                      \"\"<\/a><\/h6><\/span>\n
                                      - Check Activiti Tomcat catalina.out for osgiProcess related outputs:<\/p>\n
                                      \r\nSep 18, 2012 1:07:26 PM org.restlet.engine.log.LogFilter afterHandle\r\nINFO: 2012-09-18\t13:07:26\t127.0.0.1\tkermit\t127.0.0.1\t9090\tGET\t\/openidm-workflow-remote-2.1.0-SNAPSHOT\/\t-\t200\t-0\t8\thttp:\/\/localhost:9090\tRestlet-Framework\/2.0.15\t-\r\nscript task using expression resolver: [result:[[name:Vacation request, processDefinitionId:vacationRequest:1:21, key:vacationRequest], [name:Helpdesk process, processDefinitionId:escalationExample:1:22, key:escalationExample], [name:Review sales lead, processDefinitionId:reviewSaledLead:1:23, key:reviewSaledLead], [name:Fix system failure, processDefinitionId:fixSystemFailure:1:24, key:fixSystemFailure], [name:Expense process, processDefinitionId:adhoc_Expense_process:1:25, key:adhoc_Expense_process], [name:Osgi process, processDefinitionId:osgiProcess:1:915, key:osgiProcess]]]\r\nSep 18, 2012 1:07:26 PM org.restlet.engine.log.LogFilter afterHandle\r\nINFO: 2012-09-18\t13:07:26\t127.0.0.1\tkermit\t127.0.0.1\t9090\tGET\t\/openidm-workflow-remote-2.1.0-SNAPSHOT\/\t-\t200\t-0\t15\thttp:\/\/localhost:9090\tRestlet-Framework\/2.0.15\t-\r\nscript task using resolver: [result:[[name:Vacation request, processDefinitionId:vacationRequest:1:21, key:vacationRequest], [name:Helpdesk process, processDefinitionId:escalationExample:1:22, key:escalationExample], [name:Review sales lead, processDefinitionId:reviewSaledLead:1:23, key:reviewSaledLead], [name:Fix system failure, processDefinitionId:fixSystemFailure:1:24, key:fixSystemFailure], [name:Expense process, processDefinitionId:adhoc_Expense_process:1:25, key:adhoc_Expense_process], [name:Osgi process, processDefinitionId:osgiProcess:1:915, key:osgiProcess]]]\r\n<\/pre>\n
                                      Local Activiti Integration<\/h3><\/span>\n
                                      * Local Activiti integration is included in the standard OpenIDM 2.1 build without<\/strong> Activiti Explorer.
                                      \n* To access Activiti Explorer with Local Activiti Engine, see                                       this post<\/a>.
                                      \n* To use Single User Store for both OpenIDM and Activiti, see                                       this post<\/a>.<\/p>\n
                                      Configure Activiti Engine<\/h3><\/span>\n
                                      * Configured in conf\/workflow.json<\/em> file:
                                      \n- For local embedded Activiti engine:<\/p>\n
                                      \r\ncat workflow.json \r\n{\r\n    \"enabled\" : true\r\n}\r\n<\/pre>\n
                                      - For remote standalonoe Activiti instance:<\/p>\n
                                      \r\n{\r\n    \"enabled\" : true,\r\n    \"location\" : \"remote\",\r\n    \"engine\" : {\r\n        \"url\" : \"http:\/\/localhost:9090\/openidm-workflow-remote-2.1.0-SNAPSHOT\/\",\r\n        \"username\" : \"kermit\",\r\n        \"password\" : \"kermit\"\r\n    },\r\n<\/pre>\n
                                      Define Activiti Workflows<\/h3><\/span>\n
                                      * Define BPMN 2.0 work flow file (with text editor or BPMN 2.0 editor)
                                      \n* Package as a .bar<\/em> file
                                      \n* Copy bar file to workflow<\/em> directory
                                      \n* Invoke workflow using a script
                                      \n* Optionally schedule workflow <\/p>\n
                                      Invoking Activiti Workflows<\/h3><\/span>\n
                                      * From any trigger point within OpenIDM
                                      \n* From script files using openidm.action()<\/em> function<\/p>\n
                                      \r\n\/*\r\n * Calling 'myWorkflow' workflow\r\n *\/\r\nvar workflow = {   \r\n \"_action\" : \"myWorkflow\"\r\n};\r\n  \r\nvar params = {\r\n \"foo\" : \"bar\"\r\n};\r\n \r\nopenidm.action(\"workflow\/activiti\", workflow, params);\r\n<\/pre>\n
                                      * Directly from REST interface<\/p>\n
                                      \r\ncurl --header \"X-OpenIDM-Username: openidm-admin\" \\\r\n  --header \"X-OpenIDM-Password: openidm-admin\" \\\r\n  --data '{\"foo\":\"bar\"}' \\\r\n  --request POST \"http:\/\/localhost:8080\/openidm\/workflow?_action=myWorkflow\"\r\n<\/pre>\n
                                      Email Notification Example<\/h3><\/span>\n
                                      * Create EmailNotification.bpmn file
                                      \n* Package as .bar file
                                      \n* Copy .bar file to workflow directory
                                      \n* Invoke directly from REST<\/p>\n
                                      \r\ncurl \\\r\n\t--header \"X-OpenIDM-Username: openidm-admin\" \\\r\n\t--header \"X-OpenIDM-Password: openidm-admin\" \\\r\n\t--request POST \"http:\/\/localhost:8080\/openidm\/workflow\/processinstance?_action=createProcessInstance\" \\\r\n\t--data '{\"key\":\"EmailNotification\",\"fromSender\" : \"noreply@openidm\",\"toEmail\" : \"jdoe@example.com\"}'\r\n\r\n{\"_id\":\"208\",\"processInstanceId\":\"208\",\"status\":\"ended\",\"businessKey\":null,\"processDefinitionId\":\"EmailNotification:1:207\"}\r\n<\/pre>\n
                                      Example Sunset Workflow Triggered By Reconciliation<\/h3><\/span>\n
                                      * Authoritative data source: CSV file<\/p>\n
                                      \r\n\"firstName\",\"uid\",\"lastName\",\"email\",\"employeeNumber\",password,\"sunrise\",\"sunset\",\"active\"\r\n\"Darth\",\"DDOE\",\"Doe\",\"doe@example.com\",\"123456\",\"Z29vZA==\",\"2012-06-30T00:00:00Z\",\"2012-12-23T00:00:00Z\",\"TRUE\"\r\n<\/pre>\n
                                      * Target data source: XML file<\/p>\n
                                      \r\n<\/pre>\n
                                      * Scenario:
                                      \nNew user in CSV -> Kicks of reconcile process -> Found new user -> Add to XML<\/p>\n
                                      \r\n<\/pre>\n
                                      Sending Email<\/h2><\/span>\n
                                      Setup Outbound Email<\/h3><\/span>\n
                                      * Shutdown OpenIDM
                                      \n* Copy sample email config file to conf<\/em> directory:<\/p>\n
                                      \r\ncd $OPENIDM_HOME\r\ncp samples\/misc\/external.email.json conf\/\r\n<\/pre>\n
                                      * Modify email config file:<\/p>\n
                                      \r\n{\r\n        \"host\" : \"smtp.example.com\",\r\n        \"port\" : \"25\",\r\n        \"username\" : \"openidm\",\r\n        \"password\" : \"secret12\",\r\n        \"mail.smtp.auth\" : \"true\",\r\n        \"mail.smtp.starttls.enable\" : \"true\"\r\n}\r\n<\/pre>\n
                                      * Restart OpenIDM
                                      \n* Check external mail is up and running<\/p>\n
                                      \r\n-> scr list\r\n...\r\n[   6] [active       ] org.forgerock.openidm.external.email\r\n...\r\n<\/pre>\n
                                      Send mail from REST<\/h3><\/span>\n
                                      \r\ncurl \\\r\n --header \"X-OpenIDM-Username: openidm-admin\" \\\r\n --header \"X-OpenIDM-Password: openidm-admin\" \\\r\n --request POST \"http:\/\/localhost:8080\/openidm\/external\/email?_from=openidm@example.com&_to=user@example.com&_subject=Test&_body=Test\"\r\n\r\n{\"status\":\"OK\"}\r\n<\/pre>\n
                                      Sending Mail from Script<\/h3><\/span>\n
                                      * Use external\/email<\/em> context:<\/p>\n
                                      \r\nvar params =  new Object();\r\nparams._from = \"openidm@example.com\";\r\nparams._to = \"admin@example.com\";\r\nparams._cc = \"wally@example.com,dilbert@example.com\";\r\nparams._subject = \"OpenIDM recon report\";\r\nparams._type = \"text\/html\";\r\nparams._body = \"
                                      Recon report follows...<\/p><\/body><\/html>\";\r\n \r\nopenidm.action(\"external\/email\", params);\r\n<\/pre>\n
                                      Errors<\/h2><\/span>\n
                                      action method not implemented on workflow<\/h3><\/span>\n
                                      * Error message:<\/p>\n
                                      \r\ncurl \\\r\n  --header \"X-OpenIDM-Username: openidm-admin\" \\\r\n  --header \"X-OpenIDM-Password: openidm-admin\" \\\r\n  --request POST \"http:\/\/localhost:8080\/openidm\/workflow?_action=osgiProcess\"\r\n\r\ncurl \\\r\n>   --header \"X-OpenIDM-Username: openidm-admin\" \\\r\n>   --header \"X-OpenIDM-Password: openidm-admin\" \\\r\n>   --request POST \"http:\/\/localhost:8080\/openidm\/workflow?_action=osgiProcess\"\r\n{\"error\":400,\"reason\":\"Bad Request\",\"detail\":\"action method not implemented on workflow\"}\r\n<\/pre>\n
                                      * Reason: OpenIDM\/Activiti REST interface has changed.<\/p>\n
                                      References<\/h2><\/span>\n
                                      * OpenIDM 2.1.0 Integrator's Guide<\/a>
                                      \n*                                       ForgeRock Documentation<\/a>
                                      \n*                                       OpenIDM Wiki<\/a>
                                      \n*                                       Forum<\/a>
                                      \n*                                       Enhanced REST interface for the Activiti integration<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
                                      Architectural Overview Modular Framework * OSGi (Felix) * Servlet (Jetty) Infrastructure Modules * Scheduler (Quartz) * Script engine (JavaScript) * Audit logging * Repository – MySQL for production use – OrientDB for evaluation use – Repository API is based on … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[203],"tags":[248,204],"class_list":["post-5980","post","type-post","status-publish","format-standard","hentry","category-openidm","tag-integration","tag-openidm-2"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-1ys","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/5980","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5980"}],"version-history":[{"count":17,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/5980\/revisions"}],"predecessor-version":[{"id":6243,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/5980\/revisions\/6243"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5980"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}