ForgeRock Identity Platform 7.5

Access Management

Overview of capabilities

  • Intelligent access

  • Mobile authentication

  • Push authentication

  • Adaptive risk authentication

  • Authorization policies and enforcement

  • Federation

  • Single sign-on (SSO)

  • User self-services and social sign-on

  • High-availability and scalability

  • Adaptable monitoring and auditing services

  • Developer-friendly, rich standards support


Several Access Management modules require other modules. For example, the Federation module requires the Intelligent Access module. The following diagram summarizes Access Management module dependencies:

AM module dependencies

Intelligent Access modules

This module will help you build secure, robust, centrally managed single sign-on services. The user, application, or device signs on once and then is granted appropriate access everywhere. Authentication management integrates delegated authentication chains with many authentication methods supported by default. Authentication trees store authentication sessions in the client as a cookie, or in the CTS store. If the AM server goes down or the user is redirected to another AM while authenticating, the new AM server can grab the authentication session and continue the flow. All authentication-related events are logged for auditing and reporting purposes.

Required modules: none.

Feature Description Documentation

Authentication trees and nodes

Authentication trees provide fine-grained authentication, social authentication, and multi-factor authentication. Trees are made up of authentication nodes. Authentication nodes allow multiple paths and decision points throughout the authentication flow, enabling AM to handle different modes of authenticating users.

Session high availability

Persistent access management sessions, authenticating the user until the session expires.

Session high availability is enabled by default with no setup required.

Multi-factor and strong authentication

Capability to challenge for additional credentials when authentication takes place under centrally-defined risky or suspicious conditions.

External configuration store

Configuration storage in ForgeRock Directory Services for high-availability.

Security token service

Bridges identities across web and enterprise identity access management (IAM) systems through a token transformation process, securely providing cross-system access to service resources by authenticated requesting applications.

Web and Java agents for SSO

Intercept requests to access protected resources and redirect for appropriate authentication.

User login analytics

Measure authentication flows using counters and start/stop timers to monitor performance.

Authorization module

This module will help you create powerful, context-based policies with a GUI-based policy editor and with REST APIs to control access to online resources. Resources can be URLs, external services, or devices and things. Authorization management lets you manage policies centrally and enforce them locally through installable agents, or through REST, C, and Java applications. Authorization management is extensible, making it possible to define external subjects, complex conditions, and custom access decisions.

Required module: Intelligent Access.

Feature Description Documentation

Entitlement policies

Modern web-based policy editor for building policies, making it possible to add and update policies as needed without touching the underlying applications.

Web and Java agents for enforcement

Access enforcement for online resources with the capability to require higher levels of authentication and session upgrade when accessing sensitive resources.

Transactional authorization

Requires a user to perform additional actions such as reauthenticating to a module or node, or responding to a push notification, to gain access to a protected resource.

OAuth 2.0 dynamic scopes

A single OAuth 2.0 client configured for a comprehensive list of scopes can serve different scope subsets to resource owners based on policy conditions.

Federation module

This module will help you extend SSO capabilities across organization boundaries based on standards-based interoperability.

Required module: Intelligent Access.

Feature Description Documentation

SAML 2.0 IDP and SP

Identity federation with SaaS applications, such as, Google Apps, WebEx, and many more.

SAML 2.0 SSO and SLO

Web Single Sign-On and Single Logout profile support.


Federation with Active Directory Federation Services.

SAML 2.0 Attribute and Advanced Profiles

Support for transmitting only attributes used by targeted applications.

OpenID Connect

OpenID Connect 1.0 compliance for running an OpenID Provider, including advanced profiles, such as Mobile Connect.

OAuth 2.0

OAuth 2.0 compliance for running an authorization server.

Social login

For acting as an OAuth 2.0 client of social identity providers, such as Facebook, Google, and Microsoft.

OAuth 2.0 dynamic scopes

A single OAuth 2.0 client configured for a comprehensive list of scopes can serve different scope subsets to resource owners based on policy conditions.

User-Managed Access module

This module consists of a consumer-facing implementation of the User-Managed Access (UMA) 2.0 standard. The standard defines an OAuth 2.0-based protocol designed to give individuals a unified control point for authorizing who and what can access their digital data, content, and services. For example, you can use this module to build a solution where end users can delegate access through a share button, and then monitor and change sharing preferences through a central dashboard.

Required modules: Authorization, Intelligent Access.

Feature Description Documentation

UMA standard conformance

Conformance to the UMA 2.0 standard for interoperability with organizational and partner systems, including federated authorization and customer-centric use cases.

UMA authorization server

Authorization server with dynamic resource set registration, end-user control of resource sharing, responses to access requests, and full audit history.

UMA protector

ForgeRock Identity Gateway protection for resources and services with the UMA 2.0 standard.

Copyright © 2010-2024 ForgeRock, all rights reserved.