White PaPer Open Identity Stack Forging a New Future with Identity Relationship Management

1. Executive Summary 2. Introduction 3. Business Pain Points 4. Business Trends 5. The Open Source Solution 6. The ForgeRock Model 7. Business Model 8. Conclusion WHITEPAPER: OPEN IDENTITY STACK

Open Identity Stack Forging a New Future with Identity Relationship Management

1. Executive Summary

Identity and Access Management (IAM) services were traditionally built for a company’s internal use, to assist with manual on and o! boarding, and establishing access privileges to company data and systems behind the firewall. Today though, a company must implement a dynamic IAM solution that serves employees as well as customers, partners, and devices, regardless of location. ForgeRock embraces this shift from internal, on-premises IAM to Identity Relationship Management (IRM): public-facing, secure, and accessible identity as business enabler. ForgeRock’s next-generation IRM platform is designed to empower CEOs and enterprises to engage with consumers via new revenue-generating services, while continuing to maintain our proven traditional IAM capabilities.

2. Introduction

Business, education, and government institutions use identity management platforms to regulate individuals’ identities and their associated attributes, credentials, and entitlements organization-wide. Today, identity relationship management is necessary both on and o!-premises, increasingly important for managing users in mobile, social, and cloud environments.

Legacy identity management solutions were not built for cloud compatibility, device-agnostic access, high volume, or consumer engagement, and most were built by acquisition, rather than designed to work as a cohesive whole. This makes them inherently: ■ static ■ limited in scalability ■ di#cult to implement ■ hard to exit ■ complex to integrate ■ inaccessible to most developers ■ heavyweight ■ unconscionably expensive

Solutions must be flexible enough to support new consumer-facing mobile, social, web, and cloud app projects, while providing seamless integration with legacy systems. Platforms should be purpose-built to work together anywhere, so clients are never saddled with the costs of acquisitions. Agile organizations need solutions that are: ■ adaptable ■ highly scalable ■ simple to implement ■ exitable ■ modular ■ developer-friendly ■ lightweight ■ cost-e!ective

Identifying and targeting these solution benefits is especially critical now, during this transition period from traditional, on-premises IAM to mobile, social, web, and cloud-compatible IRM platforms, as businesses make decisions about their future identity strategy. Making a great identity decision will not merely protect a company’s data; it will allow the organization to shift away from the burden of supporting legacy systems, to investment in solutions that accelerate innovation and drive top-line growth.

2 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

3. Business Pain Points

The legacy IAM pain points described above pose challenges for the enterprise in the following ways:

Static – Limited in Scalability — Traditional IAM is designed for specific static events, but in Traditional IAM platforms were designed to protect the security today’s IRM world, systems must understand and react to perimeter and employees only, making them di#cult to adapt for contextual circumstances to determine whether or not you the modern enterprise, which must maintain mobile, web, social, get access, and if so, how much and to what. If you log in cloud, and on- premises identity data simultaneously in order from a new device or from a di!erent country, for example, to satisfy client, customer, and employee IRM needs. As the a modern, adaptable IRM system will adjust to the uncertain number of users grows exponentially, modern IRM systems must circumstances and ask you for additional authentication be able to accommodate hundreds, thousands, or even millions beyond a simple password. of additional identities instantaneously, achieving a scalable volume that was neither possible nor needed for the enterprise, Di!cult to Implement — but is essential in an Internet-connected, consumer-facing world. Legacy IAM solutions, traditionally constructed through acquisitions, are chock full of varying APIs, documentation, Hard to Exit — libraries, and protocols with no consistent standard of Proprietary solutions are infamous for rip and replace migration operation. Developers waste valuable time learning how all strategies and vendor lockin contracts. Once an enterprise the parts and pieces work, instead of modifying, customizing, has experienced the lengthy, painful process of moving all IAM and streamlining the platform to suit unique business needs. data and operations to the new platform, they are unlikely to want to repeat the process again soon, whether or not they Complex to Integrate — are satisfied with the platform. And when the contracts come Proprietary IAM suites notoriously demand a rip and replace up for renewal, high-pressure legal tactics are used to force migration process from clients’ existing platforms. Proprietary enterprise customers to immediately renew in order to avoid code is hidden from developers looking to incorporate new use of the product in breach of contract. solutions into existing IAM strategies, and is not designed to be customizable or play well with others. Traditional IAM, Inaccessible to Developers — typically built piecemeal through acquisitions and tacking on Legacy IAM platforms built by acquisition are saddled with a parts as needs arise, struggles to respond to the multitude whole host of disparate APIs, libraries, documentation, etc, of users, circumstances, devices, access points, and access hindering the developer’s ability to learn, make adjustments, privileges that dominate today’s IRM world. tailor solutions, and teach others to use the platform. Proprietary code gives developers limited maneuverability. Heavyweight — Designed for the old world of on-premises IAM security, Unconscionably Expensive — these solutions generally rely on heavyweight APIs and Contracts with legacy vendors famously begin with a discount, complex standards that are only accessible to developers and but then quickly ramp up in maintenance and subscription fees, architects with specialized identity knowledge. gouging customers for every feature and upsell. High-pressure tactics are used to elicit renewals at a significantly higher price point, and clients are hesitant to go through another round of painful rip and replace migration. The costs are always high because the customer pays for the acquisitions that built their IAM platform.

3 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

4. Business Trends

Though enterprises tolerated the challenges of legacy IAM platforms in the past, they now face a greater—and growing—need for highly e!ective IRM solutions, internally and externally. The number of users, devices, and identities to manage is growing exponentially, increasing numbers of applications are moving to the cloud and other devices, and CEOs are determined to engage with consumers in order to drive top-line revenue and maintain an edge over the competition.

Today, e!ective security demands integrated, contextual, and highly scalable identity data, e#cient, consumer-facing services, and developer-friendly ways to support the growing milieu of users, devices, (laptops, phones, touchpads, cars, etc.), and mobile, social, web, and cloud applications (on or o! premises). CIOs must invest in IRM solutions because identity management is now a business driver that touches customers, partners, employees, and users, directly impacting top line revenue. This is the evolution of IAM to IRM: Identity Relationship Management.

This shift in business emphasis has a direct technical impact on how we think about identity and access management. Managing risk, privacy, auditing, reporting, and compliance are ongoing costs of business that an e!ective identity management strategy should continue to address. The right identity relationship management solution will also actively contribute to essential top-line growth by adhering to the pillars of IRM outlined below:

Pillars of IRM Business Pillars Technical Pillars

1. CONSUMERS AND THINGS over employees 5. INTERNET SCALE over enterprise scale

2. ADAPTABLE over predictable 6. DYNAMIC INTELLIGENCE over static intelligence

3. TOP LINE REVENUE over operating expense 7. BORDERLESS over perimeter

4. VELOCITY over process 8. MODULAR over monolithic

CONSUMERS AND THINGS OvER EMplOyEES Traditional IAM platforms were designed for on-premises employee use and are unable to provide the quick, secure, and device-flexible IAM experience customers are looking for. Modern identity management must manage access privileges for all stakeholders across a variety of devices.

ADApTABlE OvER pREDICTABlE Unlike traditional IAM designed for specific static events, IRM must understand contextual circumstances. For example, a user logging in from a di!erent device or location should have access to the information they need.

TOp lINE REvENUE OvER OpERATING ExpENSE IAM has always been viewed as a necessity for employees and therefore a business cost. In today’s world, the security system is used to authenticate and authorize both consumers and employees. If an IRM solution is e#cient, secure, and accurate, it can directly contribute to a business’ top line revenue, as customers will have easy access to secure applications where they can buy services.

4 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

vElOCITy OvER pROCESS AM has migrated from business cost to business driver. Companies su!er materially if their IAM solution takes too long to deploy, adapt, or respond to user events. Employees had to put up with slow IAM systems, but customers don’t and won’t. Modern IRM serving employees, customers, and devices must instantly react to variable circumstances and events, and must be massively scalable and available so that no user ever waits around–or worse, is shut out. CIOs today make IRM decisions based on speed, ease of use, and the ability to scale to handle customer volume—not based on implementation and cost of deployment.

This shift in business emphasis has a direct technical impact on how we think about identity and access management. Through this shift we have come to value:

INTERNET SCAlE OvER ENTERpRISE SCAlE Today’s users access secure systems not just on premises, but in the cloud and via the Internet, any time, day or night. Today’s users are not just employees logging on at work but also partners, customers, and devices signing in from anywhere. As the number of users grows exponentially, modern IRM systems must be able to accommodate hundreds, thousands, or even millions of additional identities instantaneously, achieving a scalable volume that was neither possible nor needed for the enterprise, but is essential in an Internet-connected, consumer-facing world.

DyNAMIC INTEllIGENCE OvER STATIC INTEllIGENCE Traditional IAM was designed for a specific set of events – employee on and o!-boarding, for example, taking place in a predictable on premises work environment. Today’s IRM must understand the circumstances in order to determine whether or not you get access, and if so, how much and to what? If you log in from a new device or from a di!erent country, for example, a modern, adaptable IRM system will adjust to the uncertain circumstances and ask you for additional authentication beyond a simple password.

BORDERlESS OvER pERIMETER Once upon a time, employees arrived at the o#ce, logged into secure systems and logged back o! at the end of the day. In today’s work-from-anywhere culture, employees, as well as partners and customers need access from laptops, phones, tablets and even cars. They access secure data stored not only on company premises, but also in the cloud and hosted by SaaS providers.

MODUlAR OvER MONOlITHIC Today’s IRM demands are much more complex than those of traditional IAM. A good IRM solution is designed from the ground up as an integrated, cohesive stack that is purpose-built to handle complexity. Traditional IAM, typically built piecemeal through acquisitions and tacking on parts as needs arise, struggles to respond to the multitude of users, circumstances, devices, access points, and access privileges that dominate today’s IRM world.

As more people, devices and things are assigned identities across networks, IRM services that are simple, flexible, scalable, and designed to quickly verify identities and access privileges become imperative for any business to safely and e#ciently engage with their customers. Today’s solutions must link devices—laptops, phones, touchpads, cars—and new mobile and social apps to a single security platform that works all the time, everywhere, on premises or o! in the cloud. Our Open Identity Stack is designed with this new reality in mind.

5 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

5. The Open Source Solution

The open source model addresses many of the IAM pain points businesses currently experience, and caters to the pillars of IRM outlined above.

Open source software is not proprietary, and procurement is simple: users just download the code and use it for proof of concept and testing straight out of the box, for free. It allows an organization to experiment with the code before deciding it provides an ideal IRM solution — allowing them to innovate in the IRM sector where their competitors cannot. Once ready to design, architect, and deploy, users simply purchase a subscription license. ForgeRock provides a bundled o!ering, where a subscription provides enterprise customers with a software license, maintenance releases, global support, and legal indemnification, giving you the power, protection, and insurance you need for a successful deployment.

And at the end of the day, there is no barrier to exit. Any enterprise with a As a large telecom with an subscription is able to use as much or as little of the open source code extensive IT environment as they like, pairing it with proprietary solutions, using it in part, or and needs, we value having using the whole suite straight out of the box. access to the source code.” This open model comes with code that is flexible and KEVIN HIGGINS, Telecom NZ adjustable by design. It’s also great code: developers are notoriously hesitant to release code with their name on it without thoroughly vetting it first, lest they lose credibility with the entire community, who can see all of their work. More eyeballs also means fewer bugs and quicker fixes, making open source code the safest code available. The ForgeRock global team of developers and active and engaged community members work together to develop fixes, innovations, and stable new releases faster than anyone else on the market, maximizing quality, e#ciency, and value. It also provides a development model where organizations can commit code tailored to their needs back to the project, where it must pass a rigorous QA process, providing a level of participation and influence that is not possible with proprietary o!erings.

The beauty of open source is that modifications of general interest will be vetted and then accepted into the code base by the community, diminishing the need for additional development sta! on the part of the customer, and expensive requests for custom code from proprietary vendors. Over time, open source has the power to bring identity and access management code development for the majority of companies—big and small—into alignment, thereby establishing a safe, useful, e#cient, transferable, and elegantly architected IRM standard.

The open source model presents a highly attractive alternative as enterprises seek out lightweight, flexible IRM solutions that can accommodate anytime, anywhere, any device consumer-facing projects, in addition to traditional on-premises needs.

6 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

6. The ForgeRock Model

ForgeRock is committed to the development of identity relationship management through the creation of simple, open source, developer-friendly identity solutions that we call the Open Identity Stack. A single, common programming interface enables simple access to OpenAM, OpenIDM, and OpenDJ, so that each delivers rich, modular, massively scalable, lightweight identity relationship management services. Removing the complexity of the underlying services with multiple tiers of API abstraction (See Table 1: Developer API Tiers) is a significant advantage to developers and the business. Now for the first time, a developer can utilize reusable shared services across an entire identity platform, whatever the requirements of the application strategy. This is a completely di!erent model from the standard legacy provider approach, which requires developers to bend applications to support the vendor. The ForgeRock developer-centric approach and common API development platform is changing what was once costly and complex into easily accessible and reusable solutions that companies can implement safely and e#ciently, whether internally or externally, in order to e!ectively drive top line revenue.

Table 1: Developer API Tiers

■ Lightweight and simple Tier 1 ■ Common APIs across stack >>> Simple REST Services ARCHITECTURE ■ Program language agnostic

■ Standards based services KEy Standards IDENTITy Tier 2 ■ Reusable and scalable >>> (SAMl, OAuth2.0, SCIM WS*, STANDARDS ■ Interoperable and open OpenID Connect)

■ No need to touch application plUGINS AND Tier 3 ■ Abstracted security >>> Applications CONNECTORS ■ Scalable and robust

7 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

The Open Identity Stack Shared Services-Based Architecture

Diagram 1: Open Identity Stack Shared Services

The Open Identity Stack is a shared services-based architecture for managing the complete lifecycle of an identity and its ongoing usage, including the attributes, credentials, and entitlements; the real-time controls for access based on attributes, role, entitlement, and context; and the administration and reporting of those activities. The architecture has many shared services that span the three core products, making it easier to develop, implement, manage your deployment. These services (See Diagram 1: Open Identity Stack Shared Services) include a common RESTful API, registration, and standards-based services such as OAuth2.0, among others, along with a common lightweight UI model to help integrate the internal Open Identity Stack components as well as external systems, and provide a unified experience for developers and administrators.

The Open Identity Stack is 100% open source and consists of the following solutions:

■ OpenAM is an open source Authentication, Authorization, Federation, Web Services Security, Fine-Grained Entitlements, and Adaptive Authorization solution. It also includes application and web container policy enforcement agents. Packaged with OpenAM, OpenIG (Identity Gateway) is a high-performance gateway with specialized session management and credential replay functionality.

■ OpenIDM is an open source User Administration and Provisioning solution. OpenIDM uses the Open Identity Connectors Framework and Toolkit (OpenICF) to aid development of resource connectors.

■ OpenDJ is the first directory server to provide native support of the REST API. It is an open source LDAP directory service with a high-performance, highly available, secure directory server, built-in data replication, client tools, and a developer- friendly LDAP SDK. Access is provided via LDAP, Web Services, and REST API.

8 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

OpenAM Overview:

OpenAM was designed in response to a milieu of access management suites that were pieced together through acquisitions, creating an accidental architecture that complicates deployment and passes integration costs on to customers. Based on the Sun OpenSSO codebase, OpenAM (See Diagram 2: OpenAM Functional Architecture) is an “All-In-One” access management platform for protecting any type of resource across enterprise, cloud, social, and mobile environments. What has traditionally been delivered by legacy identity vendors as six di!erent products — SSO, adaptive authentication, strong authentication, federation, web services security, and fine-grained entitlements — is delivered as a single, unified o!ering. Organizations can use the access control services they need and simply “turn on” additional services when ready.

The solution has an inherently unique architecture to support use cases from complex enterprise access control, to multi- protocol federation, to enabling SSO for cloud systems. At the highest level OpenAM consists of a single, self-contained Java application; service components such as session management; client side APIs in C, Java, REST; service provider interfaces to enable custom plugins; and policy agents for web and app server containers to enforce access policies to protected web sites and web applications. Organizations with existing internal access management solutions can easily integrate OpenAM into their environment through API services or through the token translation service. Maintaining all installation and configuration capabilities within one application vastly simplifies deployment. In addition, agent configuration, server configuration, and other tasks are simplified to be repeatable and scalable, so multiple instances of the solution can be deployed without additional e!ort. The embedded OpenDJ directory server eliminates the need to configure a separate directory to support the configuration and user stores, or if desired, users can utilize other LDAP directories such as Sun DSEE or databases.

Diagram 2: OpenAM Functional Architecture

Protected UI Layer Management End User Web Agents JavaEE Agents WS Agents Resources Layer

Access Layer Common REST OpenID Connect | OAuth2 | SAML | WS

Services Layer AuthN Federation Adaptive Risk

AuthZ Session Management SSO

Entitlements Password Management Logging

Data Persistence Layer

Authentication User Directory Reporting SIEM, External Layer Systems Stores Tools Analytics Tools

9 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

Key OpenAM Features:

■ Authentication: With over 20 out-of-the-box authentication methods supported, OpenAM has the flexibility to chain methods together along with Adaptive Risk scoring, or to create custom authentication modules based on the JAAS (Java Authentication and Authorization Service) open standard. Windows IWA is supported to enable a completely seamless heterogeneous OS and Web application SSO environment.

■ Authorization: OpenAM provides authorization policy from basic, simple, coarse-grained rules to highly advanced, fine-grained entitlements based on XACML (Extensible Authorization Mark-Up Language). With the ability to abstract authorization policy away from the application, developers can quickly add or change policy as needed without modification to the underlying application.

■ Adaptive Risk Authentication: The adaptive risk authentication module is used to assess risks during the authentication process, to determine whether to require that the user complete further authentication steps. Adaptive risk authentication determines, based on risk scoring, whether more information from a user is required when they login. For example, a risk score can be calculated based on an IP address range, access from a new device, account idle time, etc., and applied to the authentication chain.

■ Federation: Federation services securely share identity information across heterogeneous systems or domain boundaries using standard identity protocols (SAML, WS-Fed, OpenID Connect). Quickly setup and configure service provider or cloud service connections through the Fedlet, OAuth2.0 Client, OAuth2.0 Provider, or OpenIG Federation Gateway. OAuth2.0 support is an open standard for modern federation and authorization, allowing users to share their private resources with tokens instead of credentials. Unique to OpenAM, the OpenIG Federation Gateway provides a SAML2 compliant enforcement point to and allows businesses to quickly add SAML2 support to their applications with little to no knowledge of the standard.

In addition, there is no need to modify the application or install any plugin or agent on the application container. Out-of- the-box tools enable simple task-based configuration of Google Apps, ADFS2, along with many other integration targets. OpenAM can also act as a multi-protocol hub, translating for providers who rely on other, older standards.

■ Single Sign-On: OpenAM provides multiple mechanisms for SSO, whether the requirement is enabling cross- domain SSO for a single organization, or SSO across multiple organizations through the Federation Service. OpenAM supports multiple options for enforcing policy and protecting resources, including policy agents that reside on web or application servers, a proxy server, or the OpenIG (Identity Gateway). OpenIG runs as a self- contained gateway and protects web applications where installing a policy agent is not possible.

■ High Availability: To enable high availability for large-scale and mission-critical deployments, OpenAM provides both system failover and session failover. These two key features help to ensure that no single point of failure exists in the deployment, and that the OpenAM service is always available to end-users. Redundant OpenAM servers, policy agents, and load balancers prevent a single point of failure. Session failover ensures the user’s session continues uninterrupted, and no user data is lost.

■ Developer Access: OpenAM provides client application programming interfaces with Java and C APIs and a RESTful API that can return JSON or XML over HTTP, allowing users to access authentication, authorization, and identity services from web applications using REST clients in their language of choice. OAuth2.0 also provides a REST Interface for the modern, lightweight federation and authorization protocol.

10 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

Customer Use Case HOW:

CUSTOMER: The hub, ID-Porten, is at the center of the architecture. Government agencies such as the tax o#ce, labor and Government of Norway welfare agency, health economics administration agency, and Providing 4M citizens access to 300+ water and energy directorate, are the spokes that use the Government services online authentication and single sign-on services of ID-Porten. The THE CHAllENGE: ID-Porten implements several levels of authentication: MyID which uses PIN code authentication; BankID—a bank- issued Deliver secure government services to Norwegian citizens electronic ID; Buypass, a private electronic ID that can also and businesses so they can do things like obtain birth and be used to bet online in Norway; and Certificates which are death certificates, apply for schools and student loans, manage stored in USB pens and issued by a private company. Each welfare services and health information, and pay parking tickets, of the authentication eIDs can be associated with di!erent automobile registration fees, utility bills, and taxes online. authentication contexts and di!erent authentication strengths. THE SOlUTION: BENEfITS: Implement a flexible, secure, single-access architecture built ■ Nearly 100 percent of adult citizens and over with ForgeRock OpenAM to enable nearly 100% of citizens to 500,000 businesses now access municipal, regional, access over 300 government services. and national government services from a single portal online, resulting in better security, faster processing times, and measurable savings. OpenAM’s simple, secure access to government services played ■ Scalability and performance. ID and the a large part in the success of the authentication environment can handle more eGovernment initiative.” than one million users signing in on a single day without outages or degradation in performance, TOR ALVIK, COO, Agency for Public, like on the day taxes are due. Management & eGovernment

OpenDJ Overview:

OpenDJ is the only 100% open source, lightweight, embeddable big data platform for easily sharing real-time user identity data across enterprise, cloud, social, and mobile environments. Recognizing that traditional approaches to accessing identity data are overly complex, OpenDJ provides developers with choice. Developers no longer need to be LDAP experts. OpenDJ lets developers choose either LDAP or REST to access identity data using a single solution that can replicate data across on-premise and o!-premise applications. OpenDJ combines the security of a proven directory with the accessibility of a database.

OpenDJ is an LDAPv3 and REST compliant directory service, developed for the Java platform, providing a high- performance, highly available, and secure store for the identities managed by your organization. Easy to install and configure, and combined with the utility of the Java platform, OpenDJ is the simplest, fastest directory to deploy and manage. Core to the management of identity information, OpenDJ directory services are used in many di!erent use cases— whether it is for a large-scale cloud service directory, a consumer- facing directory, or an enterprise or network operating system (NOS) directory. With a 100% Java code base, OpenDJ runs on many platforms, including virtualized environments. All software and data are architecture-independent, so migration to a di!erent OS or a di!erent server is as simple as copying an instance to the new server. This increases the deployment flexibility, as well as the portability between di!erent operating systems and system architectures.

11 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

Diagram 3: OpenDJ Functional Architecture

UI Layer Management End User

Access Layer Common REST LDAP SDK | LDAPv3

Services Layer Password Schema REST2LDAP Access Control Groups Policy Management

Caching LDAPv3 Replication Monitoring Auditing

Active Directory User Directory Reporting SIEM, External Layer Samba Stores Tools Analytics Tools

Key OpenDJ Features:

■ Performance: OpenDJ is optimized for performance at scale with data integrity and security. With millisecond response times and read/write performance in the 10’s of thousands per second, OpenDJ satisfies the most rigorous performance requirements across industries from telecom and financial services to large-scale consumer-facing applications.

■ Replication Services: By replicating data across multiple directory server instances, key user data is preserved in case of an outage. OpenDJ provides advanced replication options including multi-master, fractional, and assured. N-Way multi-master replication provides high-availability and disaster recovery capabilities. Fractional replication enables only specific attributes to be replicated and assured replication can be used to guarantee data availability even in the remote case of a server crash.

■ Security: OpenDJ stores identity data securely, with varying levels of authentication and authorization, including SSL, StartTLS, and certificate-based. It protects passwords through encryption and advanced access control security policies. All configuration changes are audited and archived, o!ering easy rollback to a working configuration.

■ Delegated Authentication: OpenDJ permits delegate authentication to another LDAP directory service, such as Active Directory, with a feature called pass-through authentication. The key benefit of pass-through authentication is to remove the security risks associated with synchronizing passwords (including possible capture and transfer of clear text passwords). With pass-through authentication, OpenDJ replays a user’s simple bind operation against the remote directory service. If the bind is successful, OpenDJ considers the user authenticated to perform subsequent operations like searches and updates in OpenDJ.

■ Password Policy: OpenDJ password policies govern not only passwords, but also account lockout, and how OpenDJ provides notification about account status.

12 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

■ Administration: The OpenDJ GUI-based installer and control panel simplifies installation and server configuration down to a few minutes. The command line utilities enable complete access to all server management controls and monitoring locally or remotely. OpenDJ also o!ers advanced backup and restore functions such as automated, compressed, signed, and encrypted backups that improve data reliability and security.

■ Monitoring: By supporting the widely adopted monitoring standards SNMP and JMX, OpenDJ can easily integrate into your existing monitoring infrastructure. Configure custom alerts to inform administrators about specific directory service events such as password expiration, access controls disablement, backend database corruption detection, and much more.

■ Developer Access: OpenDJ provides data access through multiple protocols: REST, LDAP, and Web Services. It fully complies with LDAPv3, and DSMLv2 standards to ensure maximum interoperability with client applications. The OpenDJ SDK provides a high-performance, easy-to-use library of classes and interfaces for accessing and implementing LDAP directory services.

Customer Use Case CUSTOMER: THE SOlUTION:

ZIGGO ■ OpenAM was used to replace SunAM and included Customer services move from Sun to existing and new features like SAML 2.0. OpenDJ OpenAM & OpenDJ replaced Sun DSEE as the new directory server platform.

ABOUT ZIGGO: ■ All 2,500,000 entries were migrated and replicated

Ziggo is the largest media and communication services across three geo-separated data centers, in a provider in the Netherlands. Ziggo serves 7 million users in 3 predictable and risk-managed fashion ensuring million households, 1.9 million broadband Internet customers, no loss of service. 2.3 million digital television customers, 1.6 million telephone ■ Previous customizations were also migrated to the subscribers, and 1.4 million bundle customers on a 98% fibre platform and included in the new supported environment. network. Ziggo’s products and services for small and large ■ A successful proof-of-concept (POC), where technical business markets comprise telephone, data communication, personnel from Ziggo worked closely with ForgeRock and electronic payment systems. expertise during implementation, identified and THE CHAllENGE: resolved all pitfalls in advance of go-live. ■ Ziggo needed to launch new customer services, including federation support for business partners and fine-grained access management for customers, that their deployment at the time could not handle. Using OpenAM and OpenDJ has enabled us to move much ■ The directory server contained 2,500,000 identities faster and more e!ectively in that needed to be synchronized and available in the demanding world of access real-time, throughout 3 geo-separated data centers, in order to ensure high availability. And, Ziggo had to management; the migration itself maintain live functioning of core business during the was fast, simple, straightforward transition, so it was vital for Ziggo to migrate the entire and trouble-free.”

directory server dataset with no loss of service. J. TEN BRINK, Senior System Specialist, Ziggo

■ Multiple integration points and custom components needed to be transitioned.

13 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

OpenIDM Overview:

OpenIDM is a response to the pain organizations experience when deploying legacy enterprise provisioning solutions. These mostly proprietary solutions are monolithic, heavyweight, painfully slow to deploy, and outrageously expensive. Unlike legacy identity management solutions, OpenIDM is the only 100% open source, lightweight, provisioning solution purpose-built for Internet Scale. OpenIDM consists of modular identity services that are “plug and play.” For example, the solutions ships with Activiti as its Business Process Management (BPM) Engine. However, if you want to replace it with an alternative BPM engine, the modular architecture allows you to easily do so. In addition, OpenIDM has a simple REST API that is ideal for developers in need of provisioning across enterprise, cloud, social, and mobile environments.

OpenIDM is a User Administration and Provisioning solution that addresses the challenges faced by organizations using legacy provisioning systems, by removing deployment complexity, proprietary scripting, business process modeling, and limited scalability. Because the Java-based architecture is built on the OSGi framework, OpenIDM (See Diagram 4: OpenIDM Functional Architecture) is able to provide lightweight, modular services such as automated workflow, user self-service, registration, password sync, data reconciliation, and audit logging, all accessible through developer-friendly REST API using standard Java development tools such as Eclipse, NetBeans, Spring etc. OpenIDM provides workflow-driven provisioning activities through an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard.

The modular design of OpenIDM enables complete flexibility to use the embedded workflow engine and NoSQL database or replace with your own choice. In addition, with a small footprint, the entire OpenIDM service can itself be completely embedded and custom-tooled to the requirements of the target application. OpenIDM connects to external systems, databases, directory servers, and other sources of identity through the identity connector framework, OpenICF (Open Identity Connectors Framework).

Historically, the reason for building an internal enterprise User Administration and Provisioning system was to connect to the HR system. Now with OpenIDM, organizations can support both internal employee systems and large-scale customer-facing applications for registration, user self-service, password reset, and user profile management. The object model is designed to support the methods the organization chooses to manage identity information. The options are to configure OpenIDM to create a virtual identity with links to external systems (data sparse model) or to create a meta-directory that centrally stores (data full model) a copy of identity attributes.

14 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

Diagram 4: OpenIDM Functional Architecture

UI Layer ForgeRock UI Framework

Access Layer Common REST

Business JavaScript | Groovy | Java Logic Layer

Services Layer Password Provisioning Services Management

Report & Audit Directory Service Service OpenIDM Repository

Task Scanner Workflow Engine Policy Service

External Resources Layer

Key OpenIDM Features:

■ Password Synchronization: OpenIDM password synchronization is a service that allows organizations to proactively manage user passwords to ensure uniformity across all applications and data stores such as Active Directory. With password synchronization, a user can authenticate using the same credentials on each synched resource. In tandem with the user self-service feature, OpenIDM significantly reduces helpdesk costs by automating password reset and enforcing centralized password policy.

■ User Provisioning: OpenIDM provides a workflow engine and business process engine that support the create, update, and delete functions based on workflow-driven provisioning activities, whether for self-service actions such as a user request for access to an application, or an administrator running sunrise or sunset processes to handle bulk onboarding or o!-boarding. To simplify defining workflows and business processes, the embedded Activiti module can be used for modeling, testing, and deployment. Activi supports BPMN 2.0 process definition models, which can not only exchange between di!erent graphical editors, but can also execute as is on any BPMN 2.0-compliant engine.

■ Synchronization, Reconciliation: In addition to passwords, OpenIDM has the ability to sync and reconcile other attributes including role and group data between connected systems. These functions are critical to ensure that identity information is clean, consistent, and accurate throughout the organization. OpenIDM has a

15 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

flexible synchronization mechanism that provides for on-demand and scheduled resource comparisons and is a key process for audit and compliance reporting.

■ Audit Logging: OpenIDM auditing can publish and log all relevant system activity to the connected systems. This includes auditing the data from the reconciliation process, access details, and detailed activity logs that capture operations with both OpenIDM and the connected systems. Auditing data can be generated for all the relevant reports, including orphan account reports, by running a report query or downloaded to other reporting tools.

■ Cloud: With complete flexibility in data and object schema, the OpenIDM architecture enables support for both traditional on-premise applications as well as for cloud service providers such as Workday, Google Apps, and Salesforce.com. Using the REST API, OpenIDM is easy to configure straight out of the box, to provide user provisioning and administration services to cloud providers without complex customization. This simplifies account creation, updating, deleting, and auditing without the cost and overhead of deploying multiple systems.

■ Developer Access: An access layer provides the user interfaces and public APIs for accessing and managing the OpenIDM repository and its functions. RESTful interfaces provide APIs for CRUD operations and for invoking synchronization and reconciliation for both HTTP and Java. Our pluggable server side scripting engine provides Javascript and Groovy out of the box. User Interfaces provide password management, registration, self-service, and workflow services.

Customer Testimonials

The industry shift to identity relationship management presents opportunities for ForgeRock’s customers across the full spectrum of industry verticals, including among others financial services, telecommunications, retail, insurance, government, and education. The sampling of testimonials here speaks to the business value and revenue-growth opportunities driven by ForgeRock’s consumer-facing IRM platform.

Salesforce selected ForgeRock because [they are] highly scalable, easy-to-customize, [and] extend user identities beyond the traditional firewall and into the cloud.”

CHUCK MORTIMORE, VP Product Management, Salesforce Identity

ForgeRock was a clear choice to support our IT infrastructure as we build out our new platforms.”

JON BERGMAN, Global Director Enterprise Applications & Governance, Axalta

ForgeRock enabl[ed] mission critical business services…while providing secure, seamless onboarding & access to our services.”

ANUP NAIR, CIO, Vantiv

16 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

The migration itself was fast, simple, straightforward and trouble-free.”

J. TEN BRINK, Senior Systems Specialist, Ziggo

Thanks to the integration with the existing Oracle SSO server and the federated SSO in ForgeRock OpenAM, end-users can log in to the web and cloud applications with full transparency, and without credentials growing out of control.”

RUUD STROET, ICT Architect, PLUS Retail

ForgeRock understood what it meant to create a modern, best-in-class Web experience for our large and exceedingly diverse customer base.”

GREG KALINSKY, Senior Vice President & Chief Information O!cer, GEICO

ForgeRock is the technology foundation to our Sky ID service.”

CASPAR ATKINSON, Director Products and Identity, BskyB

OpenAM’s simple, secure access to government services played a large part in the success of the eGovernment initiative.”

TOR ALVIK, COO, Agency for Public Management & eGoverment

The ForgeRock deployment will create a better user experience for customers and delivered strong backend support, while providing a flexible, architecturally elegant, & technologically superior solution for the company.”

MIKE WILSON, CISO, McKesson

17 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

7. Business Model

A ForgeRock Open Identity Stack subscription gives you unlimited rights to use our software in production and access to valuable support resources to aid you in planning and designing your mission-critical deployment. Our open model makes evaluation simple; just download our enterprise software and use it for proof-of-concept and prototyping new applications. Once you’re ready to design, architect, and deploy, simply purchase a subscription and we will work with you to make sure your project is a success.

Only ForgeRock subscription customers receive access to maintenance releases that include easy-to-deploy and tested patches and fixes. Subscription also gives customers access to product support professionals and resources to guide the design, architect, and deployment phases—a must for any mission-critical deployment. Finally, legal indemnification safeguarding users in the event of a legal claim related to your ForgeRock subscription is also included.

ForgeRock Services

ForgeRock Support is optimized to put customers in touch with the expert that can help them. We o!er global 24x7 support sta!ed in your local time zone, a flat structure sta!ed by development engineers, co-located support sta! and engineering, and support sta! evaluated on customer satisfaction, not ticket throughput. We know that minimizing your downtime means better access, availability, and more revenue.

ForgeRock Professional Services provides responsive, high-impact services for mission-critical success. We understand that our customers want to get up-and-running rapidly so they can realize business impact and see results quickly. To enable this, we developed a suite of professional services that provide the best of our expertise in targeted o!erings ready to be delivered straight away. Each of the seven service o!erings is focused on one of the three major project lifecycle phases of Design, Build and Production and is o!ered at two levels: Foundation (usually 3 days) and Extended (usually 5 days)

ForgeRock University o!ers a job-role driven curriculum for system integrators, consultants, administrators and developers who are working with our leading Open Identity Stack o!ering. This ensures that whatever role you have, you always have the right skills for the tasks. With course materials developed in partnership with the community leaders for each project, we o!er the most comprehensive learning to support your deployment of the Open Identity Stack.

18 FORGEROCK.COM WHITEPAPER: OPEN IDENTITY STACK

8. Conclusion: The ForgeRock Advantage

The open source identity relationship management platform developed by ForgeRock provides a vibrant alternative to traditional, proprietary IAM platforms. The Open Identity Stack is a simple, open, developer-friendly platform for building identity relationship management services for enterprise, cloud, social, and mobile systems. The Open Identity Stack enables agile business innovation with its modular, massively scalable, and lightweight infrastructure. For technical sta!, the Open Identity Stack provides a simple, easy-to-use approach to delivering identity services for enterprise, cloud, social, and mobile applications. For CEOs, it provides a new, highly e!ective and reusable method of managing trust relationships with parties inside and outside of a company—relationships that are now tied directly to the business’ top line.

Why the Open Identity Stack Solution Benefits is Unique ■ “Unified Platform” works as an e#cient, ■ It is the only 100% commercial open source cohesive whole to enable organizations to identity relationship management stack innovate anywhere, anytime, on any device, available on the market today. whether consumer-facing or employee-centric, to address major growth initiatives globally. ■ The first to o!er an agile, all-in-one, unified stack for rapidly building identity services ■ “Lightweight Infrastructure” provides the that are lightweight, modular, massively flexibility to implement only what is needed when scalable, and developer-friendly - built the business needs it—nothing more, nothing less. ground-up to work as a cohesive whole and ■ “Connected Security” provides a solution to connect enterprise, cloud, social, and mobile unite enterprise, social, cloud, and mobile security security strategies into a single, common strategies into a single common platform. platform to maintain enterprise-level security.

■ The first fully-developed IRM solution, it’s e#cient, secure, and accurate - it directly contributes to business’ top-line revenue by giving consumers easy access to secure applications where they can buy services.

About ForgeRock ForgeRock is redefining identity and access management for the modern web including public cloud, private cloud, hybrid cloud, and enterprise and mobile environments, ForgeRock products support mission-critical operations with a fully open source platform. ForgeRock’s Open Identity Stack powers solutions for many of the world’s largest companies and government organizations. For more information and free downloads, visit www.forgerock.com or follow ForgeRock on Twitter at www.twitter.com/forgerock.

19 ForgeRock is the trademark of ForgeRock Inc. or its subsidiaries in the U.S. and in other countries. FORGEROCK.COM