Product Q&As
ForgeRock Identity Cloud
ForgeRock Identity Platform

Does the ForgeRock CIAM solution provide support for a single view of identities?

Last updated Jan 24, 2023

This article provides answers to frequently asked questions on support for a single view of identities when evaluating the ForgeRock solution for Customer Identity and Access Management (CIAM).

Can the solution integrate with other systems to create a single view of the customer across the organization?

Yes. With ForgeRock, you can build a single view of the user in order to gain a complete picture of your customers and their interactions with your organization. This can be achieved by meeting several requirements, including:

  • establishing a common customer data model
  • connecting a broad range of data sources
  • implementing simple synchronization and reconciliation logic
  • allowing access to customer data in an appropriate format

Can the solution provide live bidirectional synchronization and reconciliation of identity attributes between data stores?

Yes. Reconciliation is the process of bidirectional synchronization of objects between different data stores. The reconciliation of data is one of the core features of the ForgeRock solution. As long as a connector is available to access data in an application, reconciliation can be configured and customized to meet your requirements. ForgeRock can be used as either the source or the target, or neither.

How does the solution administrator configure the migration of customers from a previous solution into the ForgeRock solution? 

Depending on what identity data is allowed in the source CIAM solution, the export of it may be possible in order to acquire the hashed password data in a format supported by ForgeRock. In this scenario, the user data is synchronized with ForgeRock in a “big-bang” approach and the user can seamlessly log in with their identity data stored in ForgeRock when the access control plane is switched.

However, the big bang example above isn't always possible, for instance, when identities are stored in Active Directory (AD) or any other identity repository with no way to extract the password hash. In this case, you can leverage ForgeRock’s Pass-through capability, which allows you to verify the password against the remote data store, such as AD, without requiring the data to be migrated or the user resetting the password.

You can also use Pass-through if migrating batches of users from the source CIAM solution in a staggered way, by first checking if the user is migrated and if so, validating locally. If no record is found locally, then try validation against the remote data source.  

How does the solution administrator import existing password hashes?

Password hashes can be imported using the Remote Connector Service (RCS) and one of the standards-based OpenICF connectors. The remote connectors are used for synchronization with data stores on premises, in a private cloud, or in a public cloud. There are a number of connectors bundled with the ForgeRock solution, and additional ones are available for download.

RCS allows ForgeRock to interface with almost any backend data store for synchronization and attribute acquisition without the need to open inbound firewall rules to allow external access to services deep within a customer environment. These can be identities within databases and LDAP directories. For example, identities that can have their passwords and other identity data synchronized to ForgeRock. 

See Also

ForgeRock Identity Cloud documentation:

ForgeRock Identity Platform documentation:

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.