Promote Configuration Changes

The Identity Cloud promotion process lets you move your configuration changes securely from one environment to another.

Your engineering environments

ForgeRock customers typically build IAM applications in three environments:

  • Development environment for programming

  • Staging environment for testing applications under realistic settings

  • Production environment for putting applications into operation for end users

Identity Cloud supports this code promotion model. Your subscription includes Development, Staging, and Production environments.

Your Development environment is mutable. This means you can customize it and build new authentication experiences, all through a cloud-based UI and API.

When you’re ready to promote what you’ve built in the Development environment to Staging or Production, submit a Support ticket. We’ll do what’s required to promote your changes as outlined in this page.

In situations where you need a configuration setting value to be distinct in each environment, we’ll do the set up for you. For example, if an authentication token needs different values in Development, Staging, and Production, just submit a Support ticket. We’ll do the rest.

To promote configuration changes

  1. Go to the Backstage website, and click Support.

  2. On the ForgeRock Support page, click New Ticket > Enhancement Request.

  3. On the Enhancement Request form:

Promotion process FAQs

What kind of configuration changes can my company make?

For the purposes of promotion, ForgeRock draws a clear line between dynamic and static configuration.

Dynamic configuration changes occur automatically when your application end users use Identity Cloud features. For example, when they configure applications or add users in the Admin UI, the changes take effect immediately in the Development, Staging, or Production environments.

Static configuration changes occur only when authorized admins make changes in the Development environment, or when configuration changes get promoted to another environment. Only ForgeRock SREs can promote static configuration from Development to Staging and Production environments.

The following tables summarize the types of configuration changes possible, and whom you can authorize to make changes:

Identity Cloud UI Configuration
Feature     Admins & end users               (devops)  ForgeRock SREs                        (promotion)

● Applications
     ◦   Native/SPA
     ◦   Web (node.js, Java)
     ◦   Service (m2m)
● Gateways & Agents




● Identities
     ◦   Connect (Connector Server)
     ◦   Connect (Server Cluster)


AM Configuration
Feature     Admins & end users               (devops)  ForgeRock SREs                        (promotion)

● Applications Agents
     ◦   IG Agent
     ◦   Java Policy Agents
     ◦   Web Policy Agents


● Applications Federation
     ◦   Circle of Trust
     ◦   SAML2 Entity Provider


● Applications OAuth 2.0                             (excluding scripts)
     ◦   Clients
     ◦   Remote Consent
     ◦   Software Publisher
     ◦   Trusted JWT Issuer


● Password policy                                        (created from Identity Cloud UI)


● Authentication trees


● Authorization
     ◦   Policy sets
     ◦   Resource types


● Scripts (all)


● Services (per realm)
     ◦   OAuth 2.0 provider
     ◦   Social IdP services
     ◦   Policy configuration
     ◦   Base URL source


IDM Configuration
Feature     Admins & end users               (devops)  ForgeRock SREs                        (promotion)

Managed objects


Sync mappings


Connector mappings


Roles & assignments


Email notifications


How do we determine what is static and dynamic configuration?

ForgeRock considers all configuration static, except for the two types of config data that may be changed at runtime: applications and access policies. These config data types can be created on the fly, and can be used immediately afterwards.

Applications represented by OAuth2 clients can be registered at runtime through the Dynamic Client Registration Protocol. Access policies are created every time an end user shares access to a resource.

ForgeRock recognizes that other types of applications or access policies might not change at runtime. But ForgeRock products handle each data class consistently, so we can leverage potential usage patterns in the future.

What exactly is promoted and what is not?

These artifacts are NOT promoted. They remain unchanged during the promotion process:

  • Identities:
    Users, things, admins, roles, and assignments

  • Applications:
    Connectors, Agents, Federations, OAuth2 clients (using the Applications Admin UI), Gateways and Agents

  • Access policies:
    AM policy sets and resource types

All other configuration is promoted between environments.

How do I manage configuration?

You have the choice of using the Identity Cloud Admin UI, or using the REST APIs for configuration.

Static configuration
  • You make changes in your Development environment.

  • ForgeRock SREs promote it to Staging or Production when you are ready.

Dynamic configuration
  • You configure applications and add users in your Development, Staging and Production environments.

  • Changes take effect immediately.

What if I need to roll back a configuration?

ForgeRock can roll back static configuration for you. Configuration data is maintained in Git repositories within your environment. So, configuration data can be restored as a whole to previous settings.

When you request a rollback, ForgeRock reverts your Development environment to the point in time you specify. ForgeRock can then promote that configuration to Staging and Production environments when confirmed by you.

Dynamic configuration is not altered when rolling back in this way. Users applications and access policies remain as they are.

What if some configuration attributes must vary per environment?

We understand that sometimes you have to use a configuration attribute value that is not identical across Development, Staging, and Production environments. For example, you might need one set of credentials for an external service in Development, but a different set of credentials in Production.

In cases like this, follow these steps:

  1. Go to the Backstage website, and click Support > New Ticket > Enhancement Request.

  2. On the Enhancement Request form:

    • In the Product Family list, choose ForgeRock Identity Cloud.

    • In the Subject line, request a Configuration Intervention.

  3. In the Details field, provide the following:

    • Tenant name (Example:

    • Name and path to the attribute that will be different among environments.

    • Specify an attribute value to be used in each environment: Development, Staging, and Production.
      At least one of these should be different from the others.
      (Optional) You can supply the values in encrypted form.

    • Click Submit.

ForgeRock temporarily locks your environment while we add the value to the platform configuration, and configure the values for each environment.

Once completed, we’ll ask you to verify that the platform is still working as you expect it to work.

How do I ask ForgeRock to move configuration for me?

  1. Go to the Backstage website, and click Support > New Ticket > Enhancement Request.

  2. On the Enhancement Request form:

    • In the Product Family list, choose ForgeRock Identity Cloud.

    • In the Subject line, request a Configuration Promotion.

  3. In the Details field, provide the following:

    • Tenant name (Example:

    • Whether you want to promote dev to staging, or staging to production.

ForgeRock promotes one step at a time. We’ll ask you to check and confirm the Staging environment status before we promote the configuration to the Production environment.

How long does the promotion process take?

Promotion normally takes 2 hours, and is carried out by the end of the next business day. ForgeRock prevents changes to the Development environment while promotion is in progress.