Guide to ForgeRock Identity Platform™ modules.

About the ForgeRock Identity Platform

The ForgeRock Identity Platform is the only offering for access management, identity management, user-managed access, directory services, and an identity gateway, designed and built as a single, unified platform.

This guide describes in general terms the ForgeRock® modules that compose the ForgeRock Identity Platform, and indicates where to find the documentation corresponding to each module. "ForgeRock Identity Platform Modules" summarizes the modules available.

ForgeRock Identity Platform Modules
Core SolutionModuleFind Details In
ForgeRock Access Management (AM)Intelligent Authentication"Intelligent Authentication Module"
Authorization"Authorization Module"
Federation"Federation Module"
User-Managed Access"User-Managed Access Module"
ForgeRock Identity Management (IDM)Identity Synchronization"Identity Synchronization Module"
Self-Service"Self-Service Module"
Workflow"Workflow Module"
Social Identity"Social Identity Module"
ForgeRock Directory Services (DS)Directory Server"Directory Server Module"
Directory Proxy Server"Directory Proxy Server Module"
ForgeRock Identity Gateway (IG)Identity Gateway"Identity Gateway Module"
ForgeRock Edge SecurityIdentity Message Broker"Identity Message Broker Module"

In addition to the modules listed in this guide, you can use the following ForgeRock software to enhance platform deployments:

ForgeRock DevOps Examples

DevOps Examples demonstrate installation, configuration, and deployment of ForgeRock Identity Platform components using DevOps techniques.

See DevOps Developer's Guide and DevOps Quick Start Guide.

ForgeRock Authenticator Application

This app allows end users to perform multi-factor authentication and transactional authorization from a registered Android or iOS device. It is designed for use in both multi-factor and passwordless authentication scenarios. It is associated with a Push Authentication Simple Notification Service module that depends on the module described in "Intelligent Authentication Module".

See About Push Authentication and Introducing Transactional Authorization.

ForgeRock Service Broker

ForgeRock Service Broker enables you to manage and federate access to Cloud Foundry applications, and to transform and process requests before they reach a Cloud Foundry application.

See the ForgeRock Service Broker User Guide.

For further details and help gaining access to additional software, contact ForgeRock at info@forgerock.com. If your project or deployment requires source code access, also contact ForgeRock.

This guide includes general statements of functionality for the following software versions:

  • ForgeRock Access Management 6.5, with Web Agent 5 and Java Agent 5

  • ForgeRock Identity Management 6.5

  • ForgeRock Directory Services 6.5

  • ForgeRock Identity Gateway 6.5

  • ForgeRock Identity Message Broker 5.5

This document is not meant to serve as a statement of functional specifications. Software functionality may evolve in incompatible ways in major and minor releases, and occasionally in maintenance (patch) releases. Release notes cover many incompatible changes. If you see an incompatible change for a stable interface that is not mentioned in the release notes, please report an issue with the product documentation for that release.

Chapter 1. Access Management

The ForgeRock Access Management 6.5 software provides the following capabilities:

  • Intelligent authentication

  • Mobile authentication

  • Push authentication

  • Adaptive risk authentication

  • Authorization policies and enforcement

  • Federation

  • Single sign-on (SSO)

  • User self-services and social sign-on

  • High-availability and scalability

  • Adaptable monitoring and auditing services

  • Developer-friendly, rich standards support

1.1. Intelligent Authentication Module

This module will help you build secure, robust, centrally managed single sign-on services. The user, application, or device signs on once and then is granted appropriate access everywhere. Authentication management integrates delegated authentication chains with many authentication methods supported by default. Authentication trees store authentication sessions in the client as a cookie, or in the CTS store. If the AM server goes down or the user is redirected to another AM while authenticating, the new AM server can grab the authentication session and continue the flow. All authentication-related events are logged for auditing and reporting purposes.

Intelligent authentication module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
Authentication Trees and NodesAuthentication trees provide fine-grained authentication, social authentication, and multi-factor authentication. Trees are made up of authentication nodes. Authentication nodes allow multiple paths and decision points throughout the authentication flow, enabling AM to handle different modes of authenticating users. About Authentication Trees
Authentication ModulesAM provides more than 25 authentication modules, including multi-factor and strong authentication, to handle different modes of authenticating users or entities. The modules can be chained together so that a user's or entity's credentials must be evaluated by one module before control passes to another module. Authentication Module Properties
Adaptive Risk ModuleRisk assessment based on predetermined characteristics to determine whether to complete further authentication steps in a chain. Adaptive Risk Authentication Module
Session High AvailabilityPersistent access management sessions, authenticating the user until the session expires Session high availability is enabled by default with no setup required.
Multi-Factor and Strong AuthenticationCapability to challenge for additional credentials when authentication takes place under centrally-defined risky or suspicious conditions. About Multi-Factor Authentication
External Configuration StoreConfiguration storage in ForgeRock Directory Services for high-availability. Preparing an External Configuration Data Store
REST and SOAP STSSecure Token Service (STS) for bridging identities across web and enterprise identity access management (IAM) systems through a token transformation process, securely providing cross-system access to service resources by authenticated requesting applications. Introducing the Security Token Service
Web and Java Agents for SSOIntercept requests to access protected resources and redirect for appropriate authentication. Web Agents User Guide and Java Agents User Guide
Mobile AuthenticatorSample iOS and Android applications for strong multi-factor authentication with one-time passwords, secure QR code provisioning, and recovery codes for lost or stolen devices. Sample Mobile Authentication Applications
User Login AnalyticsMeasure authentication flows using counters and start/stop timers to monitor performance. Timer Node Start, Timer Node Stop, Meter Node, and Monitoring Metric Types

1.2. Authorization Module

This module will help you create powerful, context-based policies with a GUI-based policy editor and with REST APIs to control access to online resources. Resources can be URLs, external services, or devices and things. Authorization management lets you manage policies centrally and enforce them locally through installable agents, or through REST, C, and Java applications. Authorization management is extensible, making it possible to define external subjects, complex conditions, and custom access decisions.

Authorization module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
Entitlement PoliciesModern web-based policy editor for building policies, making it possible to add and update policies as needed without touching the underlying applications Introducing Authorization
Web and Java Agents for EnforcementAccess enforcement for online resources with the capability to require higher levels of authentication and session upgrade when accessing sensitive resources Web Agents User Guide and Java Agents User Guide
Transactional AuthorizationRequires a user to perform additional actions such as reauthenticating to a module or node, or responding to a push notification, to gain access to a protected resource. Implementing Transactional Authorization
OAuth 2.0 Dynamic ScopesA single OAuth 2.0 client configured for a comprehensive list of scopes can serve different scope subsets to resource owners based on policy conditions. Policy Decisions and Authorization Examples

1.3. Federation Module

This module will help you extend SSO capabilities across organization boundaries based on standards-based interoperability.

Federation module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
SAML 2.0 IDP and SPIdentity federation with SaaS applications, such as Salesforce.com, Google Apps, WebEx, and many more Configuring IdPs, SPs, and COTs
SAML 2.0 SSO and SLOWeb Single Sign-On and Single Logout profile support Implementing SAML v2.0 SSO and SLO
ADFSFederation with Active Directory Federation Services Introducing SAML v2.0 Support
SAML 2.0 Attribute and Advanced ProfilesSupport for transmitting only attributes used by targeted applications SAML v2.0 Deployment Overview
OpenID ConnectOpenID Connect 1.0 compliance for running an OpenID Provider, including advanced profiles, such as Mobile Connect Introducing OpenID Connect 1.0
OAuth 2.0OAuth 2.0 compliance for running an authorization server Introducing OAuth 2.0
Social LoginFor acting as an OAuth 2.0 client of social identity providers, such as Facebook, Google, and Microsoft Implementing Social Authentication
OAuth 2.0 Dynamic ScopesA single OAuth 2.0 client configured for a comprehensive list of scopes can serve different scope subsets to resource owners based on policy conditions. Policy Decisions and Authorization Examples

1.4. User-Managed Access Module

This module consists of a consumer-facing implementation of the User-Managed Access (UMA) 2.0 standard. The standard defines an OAuth 2.0-based protocol designed to give individuals a unified control point for authorizing who and what can access their digital data, content, and services. For example, you can use this module to build a solution where end users can delegate access through a share button, and then monitor and change sharing preferences through a central dashboard.

User-Managed Access module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
UMA Standard ConformanceConformance to the UMA 2.0 standard for interoperability with organizational and partner systems, including federated authorization and customer-centric use cases Introducing UMA 2.0
UMA Authorization ServerAuthorization server with dynamic resource set registration, end user control of resource sharing, responses to access requests, and full audit history Introducing UMA 2.0
UMA ProtectorForgeRock Identity Gateway protection for resources and services with the UMA 2.0 standard Supporting UMA Resource Servers

Chapter 2. Identity Management

ForgeRock Identity Management 6.5 brings together multiple sources of identity for policy and workflow-based management that puts you in control of the data. Build a solution to consume, transform, and feed data to external sources to help you maintain control over identities of users, devices, and things.

ForgeRock Identity Management 6.5 software provides the following capabilities:

  • Provisioning

  • Synchronization and reconciliation

  • Adaptable monitoring and auditing services

  • Connections to cloud services with simple social registration

  • Flexible developer access

  • Password synchronization

  • Identity data visualization

  • Delegated administration

  • User self-service

  • Privacy and consent

  • Progressive profile completion

  • Workflow engine

  • OpenICF connector framework to external systems

2.1. Identity Synchronization Module

This module can serve as the foundation for provisioning and identity data reconciliation. Synchronization capabilities are available as a service and through REST APIs to be used directly by external applications. Activities occurring in the system can be configured to log and audit events for reporting purposes.

Identity Synchronization module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
Discovery and SynchronizationSynchronization of identity data across managed data stores Synchronizing Data Between Resources
ReconciliationAlignment between accounts across managed data stores Managing Reconciliation
Password SynchronizationNear real-time password synchronization across managed data stores Password Synchronization Plugin Guide
Directory Services and Active Directory PluginsNative password synchronization plugins for ForgeRock Directory Services and Microsoft Active Directory Synchronizing Passwords With ForgeRock Directory Services (DS), and Synchronizing Passwords With Active Directory
Delegated AdministrationGrant role-based, limited access to perform fine-grained administrative tasks on managed objects Privileges and Delegation
All ConnectorsExtensible interoperability for identity, compliance, and risk management across a variety of specific applications and services Connecting to External Resources

2.2. Self-Service Module

This module can be used to allow end users to manage their own passwords and profiles securely according to predefined policies.

The capabilities in this module are shared with ForgeRock Access Management as described in Introducing User Self-Service.

Self-Service module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
Password ManagementEnd-user self-service UI for changing and resetting passwords based on predefined policies and security questions Resetting User Passwords
Password ResetMechanisms to allow users to reset their own passwords with predefined policies Configuring User Self-Service
Knowledge-Based AuthenticationVerification for user identities based on predefined and end user-created security questions Configuring Self-Service Questions (KBA)
Forgotten UsernameMechanisms to allow users to recover their usernames with predefined policies Forgotten Username
Progressive Profile CompletionShort forms used to simplify registration and incrementally collect profile data over time Progressive Profile Completion
Profile and Privacy Management DashboardDashboard for managing personal user information Privacy: My Account Information in the Self-Service UI
Consent and Preference ManagementConfigurable user preferences Configuring Synchronization Filters With User Preferences
Terms and Conditions (or Terms of Service) VersioningManage multiple terms and conditions Adding Terms and Conditions

2.3. Workflow Module

This module can be used to visually organize identity synchronization, reconciliation, and provisioning into repeatable processes with logging and auditing for reporting purposes.

Workflow module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
Activiti Workflow EngineLightweight workflow and business process management platform. Setting Up Activiti Integration
BPMN 2.0 SupportStandards-based Business Process Model and Notation 2.0 support. BPMN 2.0 and the Activiti Tools
Workflow-Driven ProvisioningDefine provisioning workflows for self-service, sunrise and sunset processes, approvals, escalations, and maintenance. Integrating Business Processes and Workflows

2.4. Social Identity Module

With this module, you can allow users to register and authenticate with specified standards-compliant social identity providers. These users can also link multiple social identity providers to the same account, thus establishing a single consumer identity.

With the attributes collected from each user profile, you can configure the module to authorize access to applications and resources, including lead generation tools.

Social identity module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
RegistrationUser registration with social identity accounts. Configuring Social Identity Providers
AuthenticationSocial login for identity management. OpenID Connect Authorization Code Flow
Account LinkingUsers can select specific social identity providers for logins. Managing Links Between End User Accounts and Social ID Providers
Attribute Scope ManagementAdministrators can include any or all scopes available, by social identity provider. Configuring Social Identity Providers

Chapter 3. Directory Services

ForgeRock Directory Services 6.5 serves as a foundation for LDAPv3 and RESTful directories.

ForgeRock Directory Services software provides the following capabilities:

  • Large-scale, distributed read and write performance

  • Flexible key-value data model for storing users, devices, and things

  • Data storage with confidentiality, integrity, and security

  • High-availability through data replication and proxy services

  • Single logical entry point for use in protecting LDAPv3 directory services

  • Load-balancing and failover for LDAPv3 directory services

  • Maximum interoperability and pass-through delegated authentication

  • Adaptable monitoring and auditing services

  • Easy installation, configuration, and management

  • Developer-friendly, rich standards support

3.1. Directory Server Module

ForgeRock Directory Server module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
LDAPv3Compliance with the latest LDAP protocol standards Understanding Directory Services
REST APIs and REST to LDAP GatewayHTTP-based RESTful access to user data and server configuration RESTful Client Access Over HTTP
DSMLv2 GatewayHTTP-based SOAP access to LDAP operations for web services DSML Client Access
High-Availability Multi-Master ReplicationData replication for always-on services, enabling failover and disaster recovery Managing Data Replication
User/Object StoreFlexible key-value data model for storing users, devices, and things Managing Directory Data
Passwords and Data SecurityPassword digests, encryption schemes, and customizable rules for password policy compliance to help protect data on disk and shared infrastructure Encrypting Directory Data, Configuring Password Policy

3.2. Directory Proxy Server Module

ForgeRock Directory Proxy Server module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
Single Point of AccessUniform view of underlying LDAPv3 directory services for client applications Deploying a Single Point of Directory Access
High Service AvailabilityLDAP services with reliable crossover and DN-based routing Deploying Proxy Services for High Availability
Load-Balancing and FailoverConfigurable load-balancing across directory servers with redundancy, and capabilities to handle referrals, connection failures, and network partitions Choosing a Load Balancing Algorithm
Protection For Directory ServicesSecure incoming and outgoing connections, and provide coarse-grained access control Securing Network Connections, About Global Access Control Policies
Scaling Out Using Data DistributionDistribute data across multiple shards Scaling Out Using Data Distribution
LDAPv3Compliance with the latest LDAP protocol standards Understanding Directory Services
REST APIsHTTP-based RESTful access to user data and server configuration RESTful Client Access Over HTTP

Chapter 4. Identity Gateway

ForgeRock Identity Gateway 6.5 helps you integrate web applications, APIs, and microservices with the ForgeRock Identity Platform, without modifying the application or the container where it runs. Based on reverse proxy architecture, it enforces security and access control in conjunction with the Access Management modules.

ForgeRock Identity Gateway software provides the following capabilities:

  • Protection for IoT services, microservices, and APIs

  • Policy enforcement

  • Adaptable throttling, monitoring, and auditing

  • Secure token transformation

  • Support for identity standards such as OAuth 2.0, OpenID Connect, SAML 2.0, and UMA 2.0

  • Password capture and replay

  • Rapid prototyping

4.1. Identity Gateway Module

The ForgeRock Identity Gateway module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
OpenID Connect AuthenticationFederation according to OpenID Connect 1.0 standards Identity Gateway As an OAuth 2.0 Client or OpenID Connect Relying Party
OAuth 2.0 AuthorizationFederation according to OAuth 2.0 standards Acting As an OAuth 2.0 Resource Server, Acting As an OAuth 2.0 Client or OpenID Connect Relying Party
Access Policy EnforcementEnforcement of centralized authorization policies for applications requiring Access Management Enforcing Policy Decisions and Supporting Session Upgrade
AM STS Token TranslatorAccess to SAML resources for mobile applications (requires Access Management) Transforming OpenID Connect ID Tokens Into SAML Assertions
ThrottlingThrottling to limit access to protected applications Throttling the Rate of Requests to Protected Applications
Password ReplaySecure replay of credentials to legacy applications or APIs Getting Login Credentials From Data Sources
StudioUser interface for rapid development and prototyping Creating Routes Through IG Studio
DevOps ToolingDeploying Basic and Customized Configurations Through Docker Deployment Guide
UMA Resource ServerProtection for resources and services according to the UMA 2.0 standard Supporting UMA Resource Servers

Chapter 5. Edge Security

ForgeRock Edge Security 6.5 software enables you to integrate Internet of Things devices and cloud-based services with ForgeRock Identity Platform. Edge Security software includes ForgeRock Identity Message Broker.

Identity Message Broker software secures and hardens message exchange between edge clients and cloud-based systems. It provides the following capabilities:

  • Token validation on connect

  • Authorization on publish

  • Authorization on receive

5.1. Identity Message Broker Module

The ForgeRock Identity Message Broker module features are described in "Module Features".

Module Features
FeatureDescriptionDocumentation
MQTT Support Interoperability with devices and services supporting Message Queue Telemetry Transport (MQTT) About the Identity Message Broker
Message Authorization Authorization to publish and receive messages based on OpenID Connect and OAuth2 access tokens Setting Up Access Management

Read a different version of :