Supporting over 25 out-of-the-box authentication methods, and with the ability to create custom authentication modules based on the JAAS (Java Authentication and Authorization Service) open standard, ForgeRock Access Management enables you to determine the exact conditions in which a resource can be accessed, and to implement strong multi-factor authentication while keeping friction to a minimum. Scripts can be developed and easily integrated to augment authenticity validation by calling, for example, external identity verification systems. Windows IWA is supported to enable a completely seamless, heterogeneous OS and web application SSO environment. And these requirements can be enforced or exempted using the Adaptive Risk capability.
Provide fne-grained authentication by allowing multiple paths and decision points throughout the authentication for. Authentication trees define actions taken during authentication, similar to authentication modules within chains. Authentication nodes are more granular than modules, with each node performing a single task such as collecting a username or making a simple decision. Unlike authentication modules, authentication nodes can have multiple outcomes rather than just success or failure. You can create complex yet customer-friendly authentication experiences by linking nodes together, creating loops, and nesting nodes within a tree.
ForgeRock provides flexible, simple to deploy, and easy to use mobile authentication, seamlessly integrated into the login process. Push Authentication enables secure, passwordless logins and frictionless multi-factor authentication. And one-time passwords provide even more ways to ensure the user is who they say they are. All of this can be implemented using the built-in authentication modules and ForgeRock Authenticator App, available for iOS and Android.
The Adaptive Risk authentication module is used to assess risks during the authentication process, to determine whether to require the user to complete further authentication steps. Adaptive risk authentication determines, based on risk scoring, whether more information from a user is required when they log in. For example, a risk score can be calculated based on an IP address range, access from a new device, account idle time, etc., and applied to the authentication chain. By using context to evaluate the legitimacy of the user’s login attempt, ForgeRock Access Management can bar invalid entrants in real-time.
ForgeRock Access Management provides authorization policies, from basic, simple, coarse-grained rules to highly advanced, fnegrained entitlements. Policies can be exported and imported via XACML. By externalizing authorization policy from applications and centralizing it within ForgeRock Access Management, developers can quickly add or change policies as needed, without modifcation to the underlying applications. Using a modern GUI-based policy editor with its point-and-click, and drag-and-drop operations, sophisticated policies can be built to deliver controlled access to resources. Developers can easily deal with fnegrained policies through REST APIs. For IoT use cases, universal authorization is used where solution-specifc policies can be built with arbitrary resource types and custom actions, such as opening a door lock or switching on a light. Most access management solutions only assess risk at initial authentication. Contextual authorization with ForgeRock Access Management, on the other hand, allows for continuous security and dynamic, context-based policies. This allows organizations to assess risk not just at the time of authentication, but also as resources are accessed during the digital session. To gain greater knowledge about who the user is and what their context is, external policy information points can be called with easy to write scripts. Additional context can then be used to further assess risk, requiring stronger authentication mechanisms only when necessary. This makes the end user experience simpler while maintaining security by ensuring the authenticity of people, services, and things throughout the duration of each session. In addition, ForgeRock Access Management can act as a User-Managed Access (UMA) Provider for extensive privacy and consent capabilities, critical in helping to address evolving privacy regulations such as GDPR.
Enable consumers to securely and conveniently approve high risk transactions and events, via mobile phone notifications. Push authorization provides a first person based approval mechanism that is event based, increases security, and reduces the threat window for malicious activity. For example, an online bank user attempting to transfer money over a critical threshold to an existing payee would would trigger a mobile push notification, which the end user would approve using Touch ID or swipe. If the user attempted the same transaction only seconds later, the same approval would be required, to reduce malicious replay attacks. As more people and things come online, organizations need a simple way to manage them. To date, things like MFA have been primarily an authentication process. ForgeRock makes it an authentication and authorization process.
The federation services in ForgeRock Access Management can securely share heterogeneous systems or domain boundaries using standard identity protocols (SAML, OpenID Connect). This allows users to access services that span the cloud and mobile devices, on premises and off, eliminating the need for multiple passwords, user profiles, and the added complexity that frustrates users and slows adoption. SAML-based federation can be incorporated into authentication chains, enabling the use of federated identities in stronger multi-factor authentication.
Single Sign-On (SSO)
ForgeRock Access Management provides multiple mechanisms for SSO, whether the requirement is to enable SSO in a single domain, enable cross-domain SSO for a single organization, or enable SSO across multiple organizations through the Federation Service. It supports multiple options for enforcing policy and protecting resources, including policy agents that reside on web or application servers. The built-in Security Token Service (STS) can act as a multi-protocol hub, translating for providers who rely on other, older standards. A variety of flexible options for single sign-on are provided
ForgeRock Access Management is an ideal solution for customer-facing identity where it’s essential to employ a light touch when dealing with millions of users, all while providing the highest possible security. Businesses need to deliver a great, easy-to-use self-service login, empowering the user wherever possible, such as through easy self-registration or password reset. Otherwise customers are very quick to go somewhere else.
ForgeRock Access Management supports social sign-on via social identity providers such as Facebook, LinkedIn, Google, Instagram, VKontakte, and WeChat, allowing users to login directly with their existing social accounts, thus paving the way for rapid customer adoption. In cases where you users should have accounts on your system, the Social Identity module of the ForgeRock Identity Platform can be added, giving full social registration capabilities. This lets users bring registration information such as name, email address, and so on, over from a social provider, significantly shortening registration time
OAuth 2.0 Proof of Possession and Device Registration
The ForgeRock Identity Platform is an early adopter of the OAuth 2.0 Proof of Possession standard, ensuring that a token presented by a client (for example, a web browser accessing an application, or an IoT device connecting to a back-end system, and so on) is being presented by its rightful owner. This provides a transparent challenge/response-style interaction to prove the client is the intended owner of the access token and allows organizations to confdently create applications and services to meet their customers’ needs, with less concern about token misuse from man-in-the-middle and other attacks. In addition, device registration or pairing to particular services can be easily set up according to the de-facto standard OAuth 2.0 Device Flow, enabling companies to create unique product offerings that incorporate trusted devices and things.
DevOps and Developer Support
ForgeRock Access Management was designed from the beginning for interoperability and massive scale, ideal for customer facing deployments. Today, companies creating new products and services have embraced DevOps to achieve a faster time to market. With its DevOps friendly architecture, ForgeRock Access Management integrates seamlessly into continuous delivery environments, providing a comprehensive set of identity services to help companies generate new revenue streams and set themselves apart from the competition. With ForgeRock Access Management, organizations can leverage automation and orchestration for push-button deployment and continuous delivery. Additionally, ForgeRock Access Management provides client application programming interfaces with Java and C APIs and a RESTful API that can return JSON or XML over HTTP, allowing users to access authentication, authorization, and identity services from web applications using REST clients in their language of choice. OAuth 2.0 also provides a REST interface for the modern, lightweight federation and authorization protocol. Features such as user self-service, policy, and security token service are also exposed through REST APIs, making it simple for developers to adopt powerful functionality. Widely used in mobile and web applications, OAuth 2.0 and OpenID Connect standards are more rigorously enforced, as the built-in OpenID Connect Provider is fully conformant with the OpenID Foundation’s Conformance tests. This ensures greater interoperability and consistent behavior for developers.
High Availability and Scalability
With the advent of IoT, scaling identity systems has become even more challenging. Classic deployment scenarios involve stateful architectures where complex, multi-site failover environments offer extremely high reliability and uptime. And more recently, modern elastic cloud environments have allowed organizations to dynamically scale their production environment to meet demand peaks and troughs. The ForgeRock Identity Platform can do both, with stateless and stateful session architectures that also enable “fve 9’s” availability for large-scale, mission-critical deployments. Stateless architectures are optimal for deployments with massive scale, into the hundreds of millions, and even billions of identities. With its Docker support and comprehensive remote configuration tools, ForgeRock Access Management is an ideal ft for these dynamic deployments. And for more traditional stateful architectures, ForgeRock Access Management provides both system failover and session failover. These two key features help to ensure that no single point of failure exists in the deployment, and that the ForgeRock Access Management service is always available to end-users. Redundant ForgeRock Access Management servers, policy agents, and load balancers prevent a single point of failure. Session failover ensures the user’s session continues uninterrupted, and no user data is lost.
Common Auditing Architecture
The Common Audit Framework provides a means to log data consistently across the ForgeRock Identity Platform, and enables you to correlate events and transactions. Audit topics, such as access and activity, can be configured independently delivering the data you want to the appropriate business services. Handlers are available for Elastic-search (part of the Elastic stack), JMS, CSV files, JDBC connections, and Syslog.
Anthony Hayes | Sales Manager IAM
+1 (323) 918 1515