8. User
Universal
Gateway
SScrcirpiptintingg User
XXAACCMMLL FFeeddeeraratiotionn Service
Management
Management
Secure Token
Secure Token
Service
OpenID
Connect CCoonnfigfiguuraratiotionn
User Mgmt
Plugins
Token
Service
Plugins
IRM Summit 2014 8
OpenAM
PProrotetecctetedd R Reessoouurcrceess
Web Services
Agents
FFoorgrgeeRRoockc kR REESSTT ( C(Coommmmoonns sR REESSTT) )
Web
Agents
Web
Agents
JavaEE
Agents
JavaEE
Agents
Web Services
Agents
UUsseer rI nInteterfrafaccee
EEnndd U Useser r
FFoorgrgeeRRoockck U UI IF Frarammeewwoorkrk
CCoorere S Seervrviciceess
OpenID CCoorere T Tookekenn S Seervrivciece
Connect
OOAAutuhth AAutuhtehnetnictiactaiotino n EEnntittlietlemmeenntsts SSeesssisoionn AAuudditit
S SPPIsIs
Authentication
Authentication
Plugins
Plugins
Policy
Plugins
Policy
Plugins
User Mgmt
Plugins
Token
Service
Plugins
Federation
Plugins
Federation
Plugins
Persistence
(OpenDJ)
Universal
Gateway
MMaannaaggeemmeennt t
9. System
(Connectors)
Managed
Users SSynync/cR/Reecoconn System
AAuuddit/itL/Looggss Scanner
IRM Summit 2014 9
OpenIDM
O OSSGGII
FFoorgrgeeRRoockc kU UI IF Frarammeewwoorkrk
Persistence
(OrientDB)
JeJetttyt yW Weebb S Seervrever r
AAuuththeenntictiacatiotionn F Filtielter r( J(AJASSPPI)I)
FFoorgrgeeRRoocckk R REESSTT R Roouuteterr
BBuusisnineesss sL Looggici c( J(aJavavascsrcirpipt,t ,G Grorooovyv)y)
Managed CCoonnfigfiguuraratiotionn
Users
(Connectors)
Task
SSchcheedduuleler r Task
Scanner
PPoolicliycy AAuudditit
10. Schema
Password
Policy GGrorouuppss Schema
WWeebb A Apppplilcicaatitoionn
FFoorgrgeeRRoockc kR REESSTT
RREESSTT2L2DLDAAPP
JaJavava S SDDKK/ /L LDDAAPPv3v3
Access
Control
RREESSTT2L2DLDAAPP Management Access
Management
IRM Summit 2014 10
OpenDJ
UUsseer rI nInteterfrafaccee
MMaannaaggeemmeennt t EEnndd U Useser r
FFoorgrgeeRRoockc kU UI IF Frarammeewwoorkrk
FFoorgrgeeRRoockc kR REESSTT
CCoorere S Seervrveer r
Password
Policy
Control
CCaachchiningg LLDDAAPPVV33 RRepelpicliactaiotino n MMoonnitoitorirningg AAuudditiintingg
BBaacckkeenndd S Seervrviciceess
CChahnagneg eL oLgog PPeresrissitsetnecnece CCoonnnneectcotorsrs LLDDIFIF MMeemmooryry
12. OpenIDM Architecture
O OSSGGII
PPoolicliycy AAuudditit
System
(Connectors)
Managed
Users SSynync/cR/Reecoconn System
IRM Summit 2014 12
FFoorgrgeeRRoockc kU UI IF Frarammeewwoorkrk
Persistence
(OrientDB)
JeJetttyt yW Weebb S Seervrever r
AAuuththeenntictiacatiotionn F Filtielter r( J(AJASSPPI)I)
FFoorgrgeeRRoocckk R REESSTT R Roouuteterr
BBuusisnineesss sL Looggici c( J(aJavavascsrcirpipt,t ,G Grorooovyv,y ,J aJavava) )
Managed CCoonnfigfiguuraratiotionn
Users
(Connectors)
AAuuddit/itL/Looggss SSchcheedduuleler r WWoorkrfklofloww
14. RESTful API for Internet Scale
Create,
Read,
Update,
Delete
...
FFoorgrgeeRRoocckk R REESSTT R Roouuteterr
Addressable (URI/URL)
system/ldap/account
Resource
Route to resources
15. Consistent Internal & External Access
UI, console, cli, ..
JeJetttyt yW Weebb S Seervrever r
FFoorgrgeeRRoocckk R REESSTT R Roouuteterr
Automatic HTTP Mapping
BBuusisnineesss sL Looggici c( J(aJavavascsrcirpipt,t ,G Grorooovyv,y ,J aJavava) )
GET → read
PUT → update, ...
Java or scripting calls
openidm.read()
openidm.update(), ...
16. Modular, Pluggable
OSG F Fo or gr ge eR R o oc kc kU UI IF Fr ar am m e ew wo or kr k OSGII
JeJetttyt yW Weebb S Seervrever r
AAuuththeenntictiacatiotionn F Filtielter r( J(AJASSPPI)I)
FFoorgrgeeRRoocckk R REESSTT R Roouuteterr
BBuusisnineesss sL Looggici c( J(aJavavascsrcirpipt,t ,G Grorooovyv,y ,J aJavava) )
System
(Connectors)
CCoonnfigfiguuraratiotionn System
(Connectors)
Modules
Service
registration
config/schedule/x system/google/account
17. Common Enforcement Point
OSG F Fo or g rge eR R o oc kc kU UI IF Fr ar am m e ew wo or kr k OSGII
JeJetttyt yW Weebb S Seervrever r
AAuuththeenntictiacatiotionn F Filtielter r( J(AJASSPPI)I)
FFoorgrgeeRRoocckk R REESSTT R Roouuteterr
PPoolicliycy AAuudditit
BBuusisnineesss sL Looggici c( J(aJavavascsrcirpipt,t ,G Grorooovyv,y ,J aJavava) )
Common
authentication
framework
Cross cutting filters,
authorization,
enforcement, ...
18. Core Modules
OSG OSGII
FFoorgrgeeRRoockc kU UI IF Frarammeewwoorkrk
PPoolicliycy AAuudditit
System
(Connectors)
Managed
Users, Roles... SSynync/cR/Reecoconn System
Persistence
(OrientDB)
JeJetttyt yW Weebb S Seervrever r
AAuuththeenntictiacatiotionn F Filtielter r( J(AJASSPPI)I)
FFoorgrgeeRRoocckk R REESSTT R Roouuteterr
BBuusisnineesss sL Looggici c( J(aJavavascsrcirpipt,t ,G Grorooovyv,y ,J aJavava) )
Managed CCoonnfigfiguuraratiotionn
Users, Roles...
(Connectors)
AAuuddit/itL/Looggss SSchcheedduuleler r WWoorkrfklofloww
19. Flexible Data Model
OSG OSGII
FFoorgrgeeRRoockc kU UI IF Frarammeewwoorkrk
Managed
Users, Roles...
Persistence
(OrientDB)
JeJetttyt yW Weebb S Seervrever r
AAuuththeenntictiacatiotionn F Filtielter r( J(AJASSPPI)I)
FFoorgrgeeRRoocckk R REESSTT R Roouuteterr
PPoolicliycy AAuudditit
BBuusisnineesss sL Looggici c( J(aJavavascsrcirpipt,t ,G Grorooovyv,y ,J aJavava) )
Managed
Users, Roles...
Really,
Managed OObbjjeecctt
PUT
managed/phone/x
{
“sim” : “...”,
“IMEI” : “...”,
…
}
Facilities work
on different types
26. Open Identity Stack UI Model
■ “Single-Page Web App” style
■ Single UI model for all products
■ Built on ForgeRock REST (CREST)
■ Common UIs for:
IRM Summit 2014 26
– User management
– Registration and Self Service
– Login and Password Reset
■ Build on shared services for Authentication
27. ForgeRock UI Library Stack
jQuery (General utlity) + jQuery UI (Widgets)
Backbone.js + Require.js (Modular MVC Architecture)
Handlebars.js (Templating)
Underscore.js (General utility)
Less.js (CSS preprocessor)
Built on ForgeRock REST and Common Services
Caters to the web developers of today
IRM Summit 2014 27
28. IRM Summit 2014 28
Demo
■ OpenAM as the IDP
■ OpenDJ as the User and Config Store
■ OpenIDM provisioning to DJ
■ Commons
– ForgeRock REST in OpenAM, OpenIDM, OpenDJ
– Filters protecting OpenIDM
– ForgeRock UI in OpenIDM and OpenAM
Identity and Access Management (IAM) services were traditionally built for a company’s internal use, to assist with manual on and off boarding, and establishing access privileges to company data and systems behind the firewall. Today though, a company must implement a dynamic IAM solution that serves employees, customers, partners and devices, regardless of location. This is the evolution of IAM to IRM: Identity Relationship Management.
What we sell:
4 key products built from our commercial open source identity services
Commercialized as off the shelf products sold under commercial license and subscription license
Open AM – Access management, federation, fine-grained entitlements, adaptive authentication, risk-based authentication, etc. all the elements of access management are in this one product, in one Java WAR file.
You get access to everything or use as much as you need and adopt the rest as you need it. This is a major differentiator.
Not built via acquisition like most access managers. Each of the products in typical access management software stands alone, using unrelated APIs, UIs, documentation, etc. These offerings are clunky and massive. They are not designed to work together.
OpenDJ – directory server
Built for massive scale
We support traditional ways of communicating with the directory server, like LDAP. But we also support native REST calls to it. Newer developers can use REST because they typically don’t know LDAP
Built to scale to 100s of millions of transactions.
100% Java commercial open source product can be embedded for failover, replications, or directory services that you want to embed into your cloud or enterprise app
OpenIDM – identity management
Lightweight, hihgly scalable identity management system
Modular oSGi architecture. You can just deploy the unique services you want. You don’t have to deploy the monolithic whole thing. You can just deploy for ex registration or workflow or other minute services
You can use common languages like Java or Groovy to build biz logic for how to work with a resource. You no longer need to know a proprietary scripting language to deploy it
Customization-friendly. With REST API allowing you to build workflows and Uis to build out your deployment
ForgeRock Bridge SPE (Service Provider Edition) – allows cloud service providers to provide enterprises with an on-premise white box app that makes it simple to integrate on-premise identity infrastructure with the cloud infrastructure
You can drop the equivalent of a software appliance into your environment, configure it in minutes, and have it immediately synching all the identity data from your local identity stores with your cloud identity stores so you can provision new users immediately, do password synchronization, federation for access, deprovisioning and compliance, and have one way of doing all of this.
Business value of what ForgeRock does – how we leverage our platform to enable key solutions and Identity relationship management.
BE SURE TO REPLACE “LEGAL INFORMATION” IN THE BOTTOM RIGHT WITH “FORGEROCK CONFIDENTIAL” IF DOC IS INTERNAL OR NDA
BE SURE TO REPLACE “LEGAL INFORMATION” IN THE BOTTOM RIGHT WITH “FORGEROCK CONFIDENTIAL” IF DOC IS INTERNAL OR NDA
BE SURE TO REPLACE “LEGAL INFORMATION” IN THE BOTTOM RIGHT WITH “FORGEROCK CONFIDENTIAL” IF DOC IS INTERNAL OR NDA
BE SURE TO REPLACE “LEGAL INFORMATION” IN THE BOTTOM RIGHT WITH “FORGEROCK CONFIDENTIAL” IF DOC IS INTERNAL OR NDA
BE SURE TO REPLACE “LEGAL INFORMATION” IN THE BOTTOM RIGHT WITH “FORGEROCK CONFIDENTIAL” IF DOC IS INTERNAL OR NDA
BE SURE TO REPLACE “LEGAL INFORMATION” IN THE BOTTOM RIGHT WITH “FORGEROCK CONFIDENTIAL” IF DOC IS INTERNAL OR NDA
BE SURE TO REPLACE “LEGAL INFORMATION” IN THE BOTTOM RIGHT WITH “FORGEROCK CONFIDENTIAL” IF DOC IS INTERNAL OR NDA
BE SURE TO REPLACE “LEGAL INFORMATION” IN THE BOTTOM RIGHT WITH “FORGEROCK CONFIDENTIAL” IF DOC IS INTERNAL OR NDA
BE SURE TO REPLACE “LEGAL INFORMATION” IN THE BOTTOM RIGHT WITH “FORGEROCK CONFIDENTIAL” IF DOC IS INTERNAL OR NDA