Product Q&As
ForgeRock Identity Cloud
ForgeRock Identity Platform

Does the ForgeRock solution support no-code identity orchestration?

Last updated Jan 24, 2023

This article provides answers to frequently asked questions on no-code identity orchestration when evaluating the ForgeRock solution. Our no-code identity orchestration tool provides a drag-and-drop workflow interface that allows administrators to easily assemble and adjust workflow for steps such as registration, authentication, authorization, and self-service in user journeys.

Questions

Does the solution offer a single orchestration engine across registration, self-service and authentication, or does the customer need to learn multiple tools to build user journeys?

ForgeRock Intelligent Access provides a single drag-and-drop orchestration engine across multiple IAM capabilities. Intelligent Access is a powerful visual designer that allows you to orchestrate, personalize, and secure user journeys for:

  • Self-service capabilities such as registration, access requests, account management, and password reset.
  • Contextual and adaptive authentication, including passwordless authentication and multi-factor authentication (MFA).
  • Zero Trust, fraud mitigation, and IoT security.

Intelligent Access helps you reduce IT costs and improve the customer experience, drive higher engagement rates, increase customer loyalty, and improve operational efficiency while reducing risk.

Does the solution allow registration, authorization and authentication journeys to be easily created, viewed and changed with no-code drag-and-drop functionality?

Yes. With ForgeRock Intelligent Access, workflow-like decision trees can be easily viewed, created, changed and configured with no-code, drag-and-drop functionality for a user journey. The nodes within the tree can take account of context factors such as location, IP address, device type, network, or any other contextual information that is included in the request. Based on the outcome, nodes can be configured for risk calculations, modifications to authentication level, alteration of session properties, and more. Administrators can use digital signals to design a smart login journey that minimizes friction and maximizes security for legitimate users, while denying access or redirecting suspicious users to a sandbox environment for further monitoring.

How does the solution configure, measure and adjust authentication journeys using factors and digital signals (context, risk, behavior, choice, analytics) to not only determine risk, but to improve the user experience and inform downstream apps of the accumulated knowledge gained during the authentication journey?

It is no longer sufficient to use one or two factors for authentication. Additional signals such as contextual, behavioral and risk-based factors (adaptive authentication) must also be considered. ForgeRock Intelligent Access addresses the balance between the need for more secure, risk-aware authentication scenarios, while still maintaining a friction-free login experience for users.

Delivered through a no-code trees framework, Intelligent Access provides a powerful platform for modeling the authentication journey using numerous nodes to detect digital signals, make decisions, and direct the authentication accordingly. Intelligence can be built in to direct the journey, gathering information along the way. This information is used to determine risk and to inform downstream apps of the accumulated knowledge gained during the authentication journey, for example, the derived risk score or geolocation of the user.

Authentication journeys can be configured to present authentication mechanisms to the user and allow them to select which one to use. Administrators can also alter login. For example, if a device a user logs in from is Microsoft based or Linux based, and may choose to include non-identity related data during login processing.

How does the solution pre-identify a user's digital signal (such as location, IP address, device type, operating system, browser type) before a username is collected?

Using ForgeRock Intelligent Access, you can pre-identify digital signals such as a user's location, IP address, device type, operating system, browser type, user profile attributes, device cookie, last login, request header, time of day, and device fingerprint before a username is collected. Multiple paths, each evaluating a digital signal, can be connected to intelligently adjust login journeys for suspicious users. Our native SDKs allow you to capture various inputs such as location, device integrity, device registration, IP address, and network information.

The client application would need to use the ForgeRock SDK in order to provide the digital signals to ForgeRock through one of the JavaScript, iOS or Android integrations. When the user opens the browser or application, the SDK can collect information about the device for profiling and IP location for geofencing if the location is deemed high risk. This data can be stored against the user's profile to build a picture of login activity, allowing devices to be trusted by the platform and providing a frictionless user experience where activities such as transactions would require additional authentication. 

See ForgeRock SDKs for further information on the ForgeRock SDKs.

Does the solution provide out of the box authenticators, the ability to custom build authenticators, and have rapid integration with third-party authentication, fraud and risk providers in a centralized place?

Yes. Extensibility is a key feature of ForgeRock. Customer-specific authentication methods can be easily added using scripting that can be configured in the same way as out of the box authentication methods. ForgeRock also has an extensive community and partner network that provides additional authentication methods. It doesn't matter which vendor provides the additional authentication methods as long as standards-based integration endpoints or APIs are available that ForgeRock can invoke to trigger and validate authentication events.

Common authenticators include:

  • Third-party authentication nodes: ForgeRock has a rapidly growing community of 120+ Trust Network Technology Partners who are contributing authentication nodes via the ForgeRock Marketplace. These nodes enable various best-of-breed, strong authentication, risk-assessment and service providers to be incorporated into the authentication flow.
  • Custom authentication nodes: Organizations can easily author their own authentication nodes and incorporate them into their deployment. Where the node functionality is lightweight, it may be an option to script the provided Decision node to perform REST calls to other authentication factors, for example. See Node development for further information on developing and maintaining authentication nodes.

Does the solution include transactional authorization for high-risk transactions within a session?

Yes. ForgeRock supports transactional authorization to improve security by requiring a user to perform additional authentication action(s) when trying to access a resource protected by an authorization policy. While transactional authorization can make use of any authentication method, typically organizations would use the ForgeRock Authenticator to send a push notification to a user's mobile device to authorize access to a protected resource. 

See Transactional authorization (Identity Cloud) and Transactional authorization (AM) for further information on transaction authorization in deployments.

The ForgeRock SDKs (iOS, Android and JavaScript) also have built-in support for transactional authorization. When the ForgeRock SDKs attempt to access a resource protected with transactional authorization, the user must perform additional actions, such as re-authenticate to a strong authentication tree, or respond to a push notification. 

See Perform Transactional Authorization for further information on built-in support for Transactional Authorization in the ForgeRock SDKs.

How does the solution provide audit of an authentication event that was executed in the orchestration engine?

ForgeRock applies contextual identity, fine-grained authentication, adaptive risk and multi-factor authentication at the time of authentication as well as at any point during a digital session. Our continuous security approach ensures the authenticity of people, things and services at all times and can mitigate risk whenever an anomaly is detected.

Contextual authorization is implemented through ForgeRock authentication nodes and, in certain cases, associated client-side scripting or SDKs, and authorization policies. With ForgeRock Intelligent Access, signals such as context (for example, IP address, operating system, browser, device, time of day), behavior (for example, 'does the user log in at a particular hour' or 'is the location familiar’), and risk-based factors (such as 'is the user accessing sensitive data') can be considered. If an environmental or context attribute changes (for example, the user's IP address), re-authentication or a stronger credential can be requested.

Authorization policies define the rules on which authorization decisions are made. Since policy decisions are made at the time of access rather than user authentication, contextual authorization enables continuous real-time authorization decisions based on live data. Predefined objects and methods are available to access the user's profile and session data, together with helper functions allowing access to external resources such as web services and REST services. Additionally, authorization policy scripts can be used to define more complex policy decisions locally or call out to external services for additional information upon which to make a decision.

See Also

Does the ForgeRock solution offer multi-factor authentication (MFA)?

Does the ForgeRock CIAM solution provide Zero Trust Security and a CARTA model of risk?

Identity Cloud documentation:

AM documentation:

An Introduction to ForgeRock Intelligent Access (whitepaper)
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.