Applications can be located on-premises or in the cloud, use a range of credential types (including certificates, username and password, or JWTs), and be both modern applications using current federation protocols and legacy applications that may have been developed long before such protocols existed.
Our comprehensive single and same sign-on platform components include:
- Policy agents
- Federated SSO
- Web and mobile SDKs
- Identity Gateway
- Device integration
Resources can be protected through the use of policy agents. Policy agents are available for common resources, including web servers and Java applications. These agents interface with ForgeRock's access management component to request authorization decisions, allowing or denying access to underlying resources as directed.
Federated SSO is widely used to provide single and same sign-on both within organizations and with applications outside the organization. It is generally a fast and easy integration pattern.
ForgeRock supports all major federation standards, including:
- Federation protocols. SAML 2.0 (SP, IdP, ECP, and IdP Proxy) and WS-Federation (asserting, relying party).
- Next-generation federation standards for cloud and mobile use cases. Includes full implementation of OpenID Connect (OIDC), Mobile Connect, OAuth 2.0 (consumer, provider, authorization server), and User-Managed Access (UMA).
- Web services security standards. Liberty ID-WSF, WS-I Basic Security Profile and WS-Trust (STS) 1.4.
- GOV.UK Verify Identity Assurance Hub Service SAML profile.
- FICAM (federal identity, credential, and access management) compliant. This is an initiative defined by the U.S. Federal Government to simplify identity and access management across government systems.
See What federation standards does AM support? for further information.
ForgeRock provides SDKs for web and mobile applications (iOS and Android). Our SDK strategy is to expose core ForgeRock functionality, enabling developer ease of use, whilst leveraging ForgeRock best practices for token exchange, security and rapid integration with intelligent user journeys.
SDK features include:
- A separate UI module for quick UI development.
- Best practice token security.
- SSO to multiple applications on a mobile device.
- Pluggable and extensible architecture.
- Device management capabilities for users.
Note that the APIs our SDKs call to enable SSO are also available directly.
See ForgeRock SDKs for further information.
ForgeRock Identity Gateway can be put in place and used for applications that do not support the default integration patterns.
Identity Gateway is a unique reverse proxy that can be configured to protect any web application running on any other technology. It can add throttling, SSO, OAuth 2.0, OIDC, SAML SP, UMA resource server, and more capabilities to protected applications and a number of different caching mechanisms that greatly enhance performance in high load scenarios.
Identity Gateway can also protect APIs that may need to be exposed to customers and partners. As it intercepts requests before they reach the protected application, the gateway integration is agentless with little or no changes required to the protected application. Identity Gateway verifies the authenticating user, determines the requirements of the destination, and provides the required information (for example, HTTP headers, cookies, form fill, JWT, and certificate).
ForgeRock provides a range of device integration options, which enable the capture of credentials at the time they are entered, using the native device protocols. For example, OAuth 2.0 for mobile devices.
The ForgeRock solution includes a fedlet, which is a small web application that acts as a lightweight SAML 2.0 service provider (SP). A fedlet is installed in front of the application which is to be service provider-enabled. Fedlets are easy to integrate into Java applications and come with a lightweight API and extensive documentation for simple integration with the service provider application. A fedlet does not require an entire access management installation alongside your application but instead can redirect to the access management component for single sign-on, and to retrieve SAML assertions.