ForgeRock Identity Platform 7 — adding a custom schema to your shared DS repository

Shared Identity Store
Traditional Approach with Separate Identity Stores

Custom Schema

More often than not customers require the underlying identity store, such as ForgeRock Directory Services, to be configured with a custom schema. An example is an organisation named ExampleOrg that sells T-Shirts, to allow all customers to maintain their T-Shirt size as part of their identity.

ExampleOrg should maintain an optional attribute named exampletshirtsize for its customers.

The following describes how to configure the custom schema for the underlying shared DS repository, as well as configuring IDM and AM to set and consume these values.

ForgeRock Directory Services

Configure Custom Schema

The first step is to create your custom schema and add to your Directory Server.

dn: cn=schema
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
cn: schema
attributeTypes: ( exampleTShirtSize-oid NAME ‘exampletshirtsize’ DESC ‘T-Shirt Size of User’ EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX USAGE userApplications X-SCHEMA-FILE ‘99-user.ldif’ )
objectClasses: ( examplePerson-oid NAME ‘examplePerson’ DESC ‘User Object for Example People’ SUP inetOrgPerson STRUCTURAL MAY ( exampletshirtsize ) X-SCHEMA-FILE ‘99-user.ldif’ )

Test Custom Schema in DS

We will test the configuration by adding the custom objectclass and attribute to an existing user.

ForgeRock Identity Management

When IDM is configured to use DS as a repository, you’ll need to take the following steps:

  1. Configure IDM Repository
  2. Configure IDM Managed Object/s

Configure IDM Repository

IDM uses the repo.ds.json file to define communication with the DS repository. This will need to be modified to include the custom objectClass and attribute.

Configure IDM Managed Object

You can configure managed objects via the managed.json file or using the IDM Admin UI, both of these options are described below, choose one method.

Add Property with Admin UI

Test IDM Repository Configuration

We can test that IDM is correctly configured by browsing to Manage -> User.

Custom attribute read from repository.

ForgeRock Access Management

AM will need to be modified so when communicating with the Identity Repository, it can read the new objectclass and attribute.

Configure AM via AM Admin Console

Browse to your AM console and head to Identity Stores.

AM Identity Store Configuration
User Configuration
Custom Object Class
Custom Attribute

Configure AM via REST

If you don’t want to use the UI, and/or you want a repeatable process (recommended) you can configure this via REST. To do this you’ll need to GET the value of the Identity Store, then modify the details to include the custom values.

Test AM Configuration

We are not modifying the XUI, so to test this, make a REST call to AM and ensure the values are available.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store