Description
The ForgeRock / PingAM connector uses the AM REST API to discover user identities, groups, and role assignments within a ForgeRock Access Management (now PingAM) deployment. It authenticates using an admin service account and enumerates user objects from the configured identity store realm, providing visibility into federated and local identities.
System Type Classification
| Field | Value |
|---|
| System Type | Directory Service |
| Default Scan Priority | 10 |
Version Support
| OrbisID Edition | Supported |
|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|
| REST API (HTTPS) | 443 TCP | AM SSO token or OAuth 2.0 authentication |
What OrbisID Discovers
| Data | Source |
|---|
| User identities | GET /openam/json/users?_queryFilter=true |
| Groups | GET /openam/json/groups?_queryFilter=true |
| Group memberships | GET /openam/json/users/{id}/memberships |
| User enabled state | inetUserStatus attribute |
Connection Requirements
Required Permissions
Create a dedicated AM service account with read access to the identity store.
Minimum permissions:
- Read Users on the target realm
- Read Groups on the target realm
Credential Mapping
| OrbisID Field | Value |
|---|
credential.username | AM administrator or service account username |
credential.password | AM account password |
system.hostname | AM server base URL (e.g., am.example.com) |
system.realm | AM realm (e.g., / for root or /customers) |
Network Requirements
The OrbisID server must have HTTPS access to the ForgeRock AM server on port 443.
Configuration Steps
- Create a dedicated service account in the AM console with read-only identity store permissions
- Create a Credential in OrbisID:
- Username: AM service account username
- Password: AM service account password
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|
| Name | Descriptive name (e.g., ForgeRock AM – Production) |
| OS Type | ForgeRock |
| System Type | Directory Service |
| Hostname | AM server hostname |
| Credential | The scanning credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|
Authentication failed | Invalid credentials | Verify the service account in the AM console |
| No users returned | Incorrect realm | Confirm the realm path in the system configuration |
403 Forbidden | Missing delegation | Grant read delegation to the service account for the target realm |
SSL certificate error | Self-signed certificate | Import the AM CA certificate into the OrbisID trust store |