FAQ: Functionality differences when moving to Identity Cloud
The purpose of this FAQ is to provide answers to commonly asked questions on functionality differences when migrating to ForgeRock Identity Cloud from a self-managed ForgeRock Identity Platform deployment.
4 readers recommend this article
Overview
If you're familiar with using ForgeRock on-premises or in your own private cloud, you’ll see some functionality differences when migrating to ForgeRock Identity Cloud. This article provides answers to questions about some of these differences.
Key areas of difference
| Key Difference | Detail |
|---|---|
| Identity Cloud is the platform | In Identity Cloud, you get the functionality of AM and IDM without any need to integrate them. For example, there is no need to deploy a data store or the admin console; this is all part of the Identity Cloud deployment. |
| File system access | There is no access to the file system in Identity Cloud. The way that you access functionality is via REST APIs and the UI. |
| Direct access to the data store | There is no direct access to the data store in Identity Cloud. Instead, ForgeRock manages the data store for you and provides access via REST APIs and the UI. There is no need to configure Directory Services (DS) in Identity Cloud. |
| Custom code and extensibility | In Identity Cloud, you can extend the platform using JavaScript. Groovy and Java binaries are not supported. |
| Extending the data model schema |
In Identity Cloud, you can create custom types (managed objects) via the UI. How these are stored is handled by Identity Cloud rather than being explicitly configured. Adding arbitrary custom attributes to the user schema is supported. Currently, there is a limitation on indexing with these; an indexed extension attribute is provided for this purpose. |
| Identity relationships | Adding additional relationships to the default user schema is not supported. Instead, you can use Organizations to create flexible, performant identity structures. |
Unsupported features
The following features are not currently supported in Identity Cloud:
- Autonomous Identity
- Identity Governance
- Identity of Things (IoT)
- LDAP as a Service
- Mutual TLS (mTLS)
- Open Banking
- Security Token Service (STS)
- Sub-entry DS password policies
- User-Managed Access (UMA)
- Workflow
In addition, Identity Cloud only supports a subset of hashed passwords for import.
No planned support
ForgeRock does not plan to support the following in Identity Cloud:
- AM XUI end user login
- Authentication modules and chains
- Groovy
- Java binaries
- SOAP STS
Frequently asked questions
- Q. Can I add a custom cookie domain in Identity Cloud?
- Q. Can I customize policy evaluation with a plugin in Identity Cloud?
- Q. Can I customize SAML 2.0 with plugins in Identity Cloud?
- Q. Can I use Amster with Identity Cloud?
- Q. Can I use ssoadm with Identity Cloud?
- Q. Can I have multiple realms in Identity Cloud?
- Q. Is the amAdmin account available in Identity Cloud?
- Q. Can I extend the data model schema in Identity Cloud?
- Q. Can I connect applications to LDAP (DS) in Identity Cloud?
- Q. Is Kerberos or desktop authentication supported in Identity Cloud?
- Q. Are native log handlers implemented in Identity Cloud?
Q. Can I add a custom cookie domain in Identity Cloud?
A. In Identity Cloud, this is achieved using custom domains.
- If you were onboarded after 17th June 2022:
- Once you have added a custom domain name to your tenant, the cookie domain matches the custom domain by default.
- For example, if you add
id.mycompany.comas your custom domain, cookies are then set at the custom domain level (id.mycompany.com).
- If you were onboarded on or before 17th June 2022:
- Once you have added a custom domain name to your tenant, cookies are set at the domain level by default.
- For example, if you add
id.mycompany.comas your custom domain, cookies are then set at the domain level (mycompany.com).
If required, you can request a change to how cookie domains are configured in your tenant by raising a ticket on Backstage. If cookies are set at the domain level by default, you can request that they are set to the custom domain level. If cookies are set at the custom domain level by default, you can request that they are set at the domain level.
See Custom domains for further information.
Q. Can I customize policy evaluation with a plugin in Identity Cloud?
A. In Identity Cloud, you can use scripted policy conditions instead to modify the actions taken by Identity Cloud during policy evaluation.
See Scripted policy conditions for further information.
Q. Can I customize SAML 2.0 with plugins in Identity Cloud?
A. Identity Cloud provides a scripting engine and template scripts for you to extend SAML 2.0 behavior. Java plugins are not available with Identity Cloud.
See Customize SAML v2.0 with plugins for further information.
Q. Can I use Amster with Identity Cloud?
A. Amster is not supported in Identity Cloud deployments. However, several options are available to help with managing configuration data. These include:
- Journey export and import: You can export and import journeys through the Identity Cloud admin UI, including all dependencies like nodes, inner trees, scripts, and any themes that have been attached to a journey. You can use this feature to export journeys from one environment, such as a development environment, to another. See Journeys for further information.
- Postman collection: ForgeRock provides a Postman collection containing example requests grouped into features to help you quickly use and understand REST APIs. See Identity Cloud Postman collection for further information.
- Open source tooling: Community-supported tools such as frodo may be used to manage configuration in Identity Cloud.
Disclaimer
Frodo is a community-supported open source project. It is not supported by ForgeRock.
Q. Can I use ssoadm with Identity Cloud?
A. ssoadm is not available in Identity Cloud. This is because ssoadm talks directly to DS, which is not a requirement of Identity Cloud. You should use the options outlined above to help with managing configuration data.
Q. Can I have multiple realms in Identity Cloud?
A. Identity Cloud tenants include two default realms, Alpha and Bravo, which are configurable. See Alpha and Bravo realms for further information.
If you want to group identities further to suit your business needs, you can use the Organizations feature in Identity Cloud. See Organizations for further information.
Q. Is the amAdmin account available in Identity Cloud?
A. No. The amAdmin account is not available.
Q. Can I extend the data model schema in Identity Cloud?
A. You can create custom types (managed objects) via the UI. How these are stored is handled by Identity Cloud rather than being explicitly configured. Adding arbitrary custom attributes to the user schema is supported. However, there is currently a limitation on indexing with these; an indexed extension attribute is provided for this purpose.
See Identity Cloud identity schema for further information.
Q. Can I connect applications to LDAP (DS) in Identity Cloud?
A. Not directly, the DS instance in Identity Cloud is not exposed for connecting applications. If you have an existing on-premises DS instance that your applications connect to, you will need to use a Remote Connector Server (RCS) to connect to your on-premises DS instance and then sync data via Identity Cloud. See Sync identities and Sync Identities in Identity Cloud for further information.
Q. Is Kerberos or desktop authentication supported in Identity Cloud?
A. The Kerberos node is not supported in Identity Cloud. The supported strategy for AD SSO is described here: ADFS SSO integration with Identity Cloud as SAML service provider.
Q. Are native log handlers implemented in Identity Cloud?
A. In Identity Cloud, audit and debug log data is extracted via a consolidated REST endpoint.
See View audit and debug logs for further information.