Applies to Deployment Manager 5.5.x 

Open Access Manager (OpenAM) is an access management solution for handling SSO, authentication, authorization, entitlements, federation, and web services security. You can use OpenAM with Deployment Manager 5.5.x to facilitate communication between candidate-to-orchestrator and orchestrator-to-orchestrator.

Integrating OpenAM with Deployment Manager 

Perform the following steps to integrate OpenAM with Deployment Manager. 

Install OpenAM 

1. Download OpenAM from the Forgerock website.
2. Install OpenAM according to your preferences. 

Create a realm 

Create a new Realm. For example, you could name the realm PEGSAML, as shown in the following example: 

Create a Hosted Identity Provider 

1. Navigate to the realm you created, for example: PEGSAML realm > Configure SAMLv2 Provider > Create Hosted Identity provider. 

2. Create an Identity Provider (IDP).   

Create an identity 

In OpenAM, click Identities to create an Identity, for example: [email protected]. 

Configure a SAML 2.0 authentication service in Pega Platform™ 

1. Create a new authentication service by navigating to Dev Studio > Configure > Org & Configure > Authentication > Create Authentication Service. 

2. In the Authentication Service Alias field, enter a name that becomes part of the URL for SSO login, for example, PEGSAML. 
3. Click the Import IdP metadata link. 
4. In the URL field, enter the URL.
5. Click Submit. 

Register Pega as a Remote Service Provider with OpenAM 

1. In the OpenAM portal, from the Realm dropdown, select the realm you created previously, such as PEGSAML. 
2. Select Configure SAMLv2 Provider. 
3. Select Configure Remote Service Provider. 
4. Select the Realm that you created, for example: PEGSAML. 
5. In the Where does the metadata file reside? section, select URL. 
6. Obtain the URL for the URL where the metadata is located field by looking at the Realm Authentication Service that you configured in Pega Platform, such as PEGSAML.
7. You can find the URL by clicking the Download SP metadata link in the Service Provider settings of the SAML 2.0 tab, and then copying the URL for the page that is displayed. 
8. Select Configure to add Pega as a remote service provider. 

Create OAuth profile 

1. Navigate to [Name of realm] > Configure OAuth Provider > Configure OAuth 2.0. 
2. Create the OAuth 2.0 profile in the realm that you created earlier, for example: PEGSAML. The following images show an example of an OAuth2.0 configuration. 

OAuth 2.0 configuration additional settings. 

OpenAM JWT Verification Setup 

Set up the trust JWT issues required to verify the JWT token, as shown in the following example: 

Recommended approach to integrating OpenAM with Deployment Manager

The recommended approach for using OpenAM with Deployment Manager is to use DMReleaseAdmin_OAuth in a customer environment, and DMAgentUser in orchestrator.

Authentication profiles should be modified with OpenAM client credentials, as shown in the following OpenAM client configuration example: 

DMStudioUser in Orchestrator authentication profiles should be modified using OpenAM JWT credentials.

An example of OpenAM JWT credentials is shown in the following example:

An example token profile for JWT is shown in the following example:

An example security configuration is shown in the following example: