Product Q&As
ForgeRock Identity Platform
Does not apply to Identity Cloud

Does the ForgeRock Identity Platform provide an identity store?

Last updated Jan 23, 2023

This article provides answers to frequently asked questions regarding the identity store when evaluating the ForgeRock Identity Platform.


Does the ForgeRock Identity Platform have its own integrated identity store?

Yes. One of the foundation components of the ForgeRock Identity Platform is ForgeRock Directory Services (DS). DS is a lightweight repository that can easily share real-time customer, device, and user identity data across enterprise, cloud, social, and mobile environments. DS represents the repository for storing identities, but also provides a data layer (the LDAP directory server) and an access layer (the LDAP proxy server), supporting both REST and LDAP clients. 

Although its use is not mandatory, DS is put in place as the corporate directory in most installations. Other directories, such as Active Directory, can function as the sole identity repository, the repository for authentication actions only, or can be configured as an authoritative or dependent data source. In cases where other directories are used, communication occurs through adapter or connector components that communicate over the native protocol of the directory, such as LDAP, PowerShell or SQL.

DS is a highly scalable (hundreds of millions+) and highly resilient credential store, and in some cases it is all an organization needs for their identity store layer. However, most organizations do not have greenfield identity deployments and identity data sits in many disparate identity silos across many lines of business. To gain a consolidated view of this identity data, you need to look beyond DS to ForgeRock Identity Management (IDM).

See Directory Services for further information.

Does the identity store encrypt data both at rest and in transit?

Yes. ForgeRock Directory Services (DS) is a flexible and scalable LDAP v3 compatible directory service. DS implements both hashing and encryption of fields containing password information. Passwords are, by default, stored in DS as salted and hashed values. In addition, the entire data storage backend can be encrypted. The directory server can encrypt directory data before storing it in a database backend on disk, until it is accessed by a directory client.

ForgeRock supports Transport Layer Security (TLS)/Secure Sockets Layer (SSL) encryption to ensure data is encrypted during transit. The primary data store for ForgeRock Access Management (AM) is DS, which implements both hashing and encryption of fields containing password information. 

See Security for further information.

Does the identity store offer fractional and multi-master replication?

Yes. ForgeRock supports both fractional replication and multi-master replication. Fractional replication allows you to specify the attributes to include in the replication process, or the attributes to exclude from the replication process. N-way multi-master replication is typically used to build highly available architectures and/or to propose a disaster recovery plan. The number of replicated servers is not limited, but it has been tested up to 100 servers. 

See Replication for further information.

Can the identity store scale to support data from hundreds to millions of identities, including devices and ‘things’?

Yes. ForgeRock manages and secures over four billion identities for global customers across all industries. 

From day one, the ForgeRock platform was designed for the high scale required by CIAM and IoT solutions, and the deep understanding that identity was not confined to users but extends to devices, services, and things. Where other platforms might be challenged by hundreds of thousands of identities, the ForgeRock platform can effortlessly scale to many millions of identities. The average customer leverages our solution for one million user identity requirements, with several customers approaching or exceeding 100 million.

Does the identity store comply with LDAP v3 and integrate seamlessly with any directory?

Yes. ForgeRock Access Management (AM) can be configured to access existing directory servers to obtain identity profiles. The identity store can be one of various LDAP directory stores, such as ForgeRock Directory Services (DS), Active Directory, and any LDAP v3 compliant directory. 

See Also

Directory Services documentation

 Directory Services

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.