Supporting over 25 out-of-the-box authentication methods, and with the ability to create custom authentication modules based on the JAAS (Java Authentication and Authorization Service) open standard, ForgeRock Access Management enables you to determine the exact conditions in which a resource can be accessed, and to implement strong multi-factor authentication while keeping friction to a minimum. Scripts can be developed and easily integrated to augment authenticity validation by calling, for example, external identity verification systems. Windows IWA is supported to enable a completely seamless, heterogeneous OS and web application SSO environment. And these requirements can be enforced or exempted using the Adaptive Risk capability.
Provide fne-grained authentication by allowing multiple paths and decision points throughout the authentication for.
Authentication trees define actions taken during authentication, similar to authentication modules within chains. Authentication
nodes are more granular than modules, with each node performing a single task such as collecting a username or making a
simple decision. Unlike authentication modules, authentication nodes can have multiple outcomes rather than just success or
failure. You can create complex yet customer-friendly authentication experiences by linking nodes together, creating loops, and
nesting nodes within a tree.
ForgeRock provides flexible, simple to deploy, and easy to use mobile authentication, seamlessly integrated into the login process. Push Authentication enables secure, passwordless logins and frictionless multi-factor authentication. And one-time passwords provide even more ways to ensure the user is who they say they are. All of this can be implemented using the built-in authentication modules and ForgeRock Authenticator App, available for iOS and Android.
The Adaptive Risk authentication module is used to assess risks during the authentication process, to determine whether to require the user to complete further authentication steps. Adaptive risk authentication determines, based on risk scoring, whether more information from a user is required when they log in. For example, a risk score can be calculated based on an IP address range, access from a new device, account idle time, etc., and applied to the authentication chain. By using context to evaluate the legitimacy of the user’s login attempt, ForgeRock Access Management can bar invalid entrants in real-time.
ForgeRock Access Management provides authorization policies, from basic, simple, coarse-grained rules to highly advanced, fnegrained
entitlements. Policies can be exported and imported via XACML. By externalizing authorization policy from applications
and centralizing it within ForgeRock Access Management, developers can quickly add or change policies as needed, without
modifcation to the underlying applications. Using a modern GUI-based policy editor with its point-and-click, and drag-and-drop
operations, sophisticated policies can be built to deliver controlled access to resources. Developers can easily deal with fnegrained
policies through REST APIs. For IoT use cases, universal authorization is used where solution-specifc policies can be built
with arbitrary resource types and custom actions, such as opening a door lock or switching on a light. Most access management
solutions only assess risk at initial authentication. Contextual authorization with ForgeRock Access Management, on the other hand,
allows for continuous security and dynamic, context-based policies. This allows organizations to assess risk not just at the time of
authentication, but also as resources are accessed during the digital session. To gain greater knowledge about who the user is and
what their context is, external policy information points can be called with easy to write scripts. Additional context can then be used
to further assess risk, requiring stronger authentication mechanisms only when necessary. This makes the end user experience
simpler while maintaining security by ensuring the authenticity of people, services, and things throughout the duration of each
session. In addition, ForgeRock Access Management can act as a User-Managed Access (UMA) Provider for extensive privacy and
consent capabilities, critical in helping to address evolving privacy regulations such as GDPR.
Enable consumers to securely and conveniently approve high risk transactions and events, via mobile phone notifications.
Push authorization provides a first person based approval mechanism that is event based, increases security, and reduces the
threat window for malicious activity. For example, an online bank user attempting to transfer money over a critical threshold to
an existing payee would would trigger a mobile push notification, which the end user would approve using Touch ID or swipe. If
the user attempted the same transaction only seconds later, the same approval would be required, to reduce malicious replay
attacks. As more people and things come online, organizations need a simple way to manage them. To date, things like MFA
have been primarily an authentication process. ForgeRock makes it an authentication and authorization process.
The federation services in ForgeRock Access Management can securely share heterogeneous systems or domain boundaries
using standard identity protocols (SAML, OpenID Connect). This allows users to access services that span the cloud and mobile
devices, on premises and off, eliminating the need for multiple passwords, user profiles, and the added complexity that frustrates
users and slows adoption. SAML-based federation can be incorporated into authentication chains, enabling the use of federated
identities in stronger multi-factor authentication.
Single Sign-On (SSO)
ForgeRock Access Management provides multiple mechanisms for SSO, whether the requirement is to enable SSO in a
single domain, enable cross-domain SSO for a single organization, or enable SSO across multiple organizations through the
Federation Service. It supports multiple options for enforcing policy and protecting resources, including policy agents that reside
on web or application servers. The built-in Security Token Service (STS) can act as a multi-protocol hub, translating for providers
who rely on other, older standards. A variety of flexible options for single sign-on are provided
ForgeRock Access Management is an ideal solution for customer-facing identity where it’s essential to employ a light touch when
dealing with millions of users, all while providing the highest possible security. Businesses need to deliver a great, easy-to-use
self-service login, empowering the user wherever possible, such as through easy self-registration or password reset. Otherwise
customers are very quick to go somewhere else.
ForgeRock Access Management supports social sign-on via social identity providers such as Facebook, LinkedIn, Google,
Instagram, VKontakte, and WeChat, allowing users to login directly with their existing social accounts, thus paving the way for rapid
customer adoption. In cases where you users should have accounts on your system, the Social Identity module of the ForgeRock
Identity Platform can be added, giving full social registration capabilities. This lets users bring registration information such as name,
email address, and so on, over from a social provider, significantly shortening registration time