ForgeRock Limited

Identity Management Platform

ForgeRock helps people safely and simply access the connected world by enabling exceptional digital experiences, no compromise security and comprehensive functionality at scale with simple, flexible, rapid implementations. The ForgeRock Identity Platform is delivered with push button deployments to any cloud or into any data centre or as a hybrid,

Features

  • Access Management - intelligent authentication, authorisation, SSO & identity federation
  • Identity Management - user lifecycle management, registration, synchronization & workflow
  • Identity Governance - automated access request fulfilment & access review
  • Identity Gateway - secure APIs & integrate with legacy
  • Directory Services - highly scalable self replicating LDAP directory
  • Autonomous Identity - targeted governance driven by machine learning
  • Edge Security - identity for constrained and unconstrained devices
  • Microservices Security - modern identity for microservices based architectures
  • Professional services - Customer Success Management & Delivery
  • Training

Benefits

  • Cloud Deployment in Minutes - cloud, hybrid or on premise
  • Orchestration Engine with Intelligent Authentication - UI driven adaptive authentication
  • DevOps Ready - built for automation & Kubernetes enabled
  • Highly Scalable - 1/10/100 million users
  • Open Standards - interoperable whilst avoiding vendor lock-in
  • Unified Architecture - common APIs for ease of development
  • Powerful Identity Ecosystem - ready to go third party integrations
  • Extensible Architecture - fully configurable & customisable with script
  • Privacy and Consent - comprehensive GDPR ready controls
  • Integrated Support and Engineering - reduced time to resolution

Pricing

£0.25 to £9.50 a user a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at keith.dear@forgerock.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

4 0 6 3 9 8 4 5 7 8 6 2 4 6 1

Contact

ForgeRock Limited Keith Dear
Telephone: 07803148842
Email: keith.dear@forgerock.com

Service scope

Software add-on or extension
Yes
What software services is the service an extension to
The ForgeRock Identity Platform can integrate with any mobile or web application, data store, service, API or device used by consumers or workforce that requires identity management.
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints
None
System requirements
  • The ForgeRock Identity Platform is deployed:
  • Inside a Java Virtual Machine (JVM)
  • Running on Virtual Machines or Containers
  • In AWS, Azure, Google Cloud or private cloud

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support is included with the ForgeRock subscription and is available in a number of plans offering varying degrees of web, email, and telephone support up to 24x7.

The following SLA goals are applicable to each support level:

Bronze - Response times by priority: 1-Urgent: 1 Day; 2-High: 2 Days; 3-Normal: 3 Days; 4-Low: 4 Days.

Silver - Response times by priority: 1-Urgent: 4 Hours; 2-High: 8 Hours; 3-Normal: 1 Day; 4-Low: 2 Days.

Gold - Response times by priority: 1-Urgent: 2 Hours; 2-High: 4 Hours; 3-Normal: 6 Hours; 4-Low: 1 Day.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Support is included with the ForgeRock subscription and is available in a number of plans offering varying degrees of web, email, and telephone support up to 24x7. Access to updates/bug fixes (maintenance releases) are included as standard, and additional options include accelerated SLAs, business reviews and strategic planning, and deployment support services.

The following SLA goals are applicable to each support level:
Bronze - Response times by priority: 1-Urgent: 1 Day; 2-High: 2 Days; 3-Normal: 3 Days; 4-Low: 4 Days.

Silver - Response times by priority: 1-Urgent: 4 Hours; 2-High: 8 Hours; 3-Normal: 1 Day; 4-Low: 2 Days.

Gold - Response times by priority: 1-Urgent: 2 Hours; 2-High: 4 Hours; 3-Normal: 6 Hours; 4-Low: 1 Day.

ForgeRock offers Deployment Support Services (DSS) which can be used throughout the course of a deployment project. These services are available as DSS Hours for flexibility, and Packaged Workshops for focused collaboration at key project decision points.

A Customer Success Manager (CSM) may be assigned to look after a customer to provide additional focus and proactive service. Typically this involves regular calls, additional assistance in prioritizing support tickets and introductions and meetings arranged with other ForgeRock staff (for instance Product Management) where appropriate.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
ForgeRock invests considerably in customer success. With this in mind there are a variety of knowledge sharing methods available to our customers starting with formal education provided by our University team, followed by access to our knowledge library where release notes, documentation, video demonstrations, and many other sources of information are available.

During the project scoping phase a member of the University team would scope out an education strategy to fully enable the team supporting your project. We would then oversee delivery of that program, following with an assessment of the knowledge uplift. ForgeRock's curriculum is designed to address the needs of the project team from design and deployment, through to support and customisation.

Courses are delivered in a variety of ways to suit your needs wherever you are located. Instructor-led courses are delivered worldwide, either in a traditional classroom setting or via a live link to a virtual classroom. Upon request, courses can be tailored to your specific requirements and delivered privately.

Other opportunities for knowledge sharing include webinars, whitepapers, blogs, monthly Tech Talks, Identity Live Summits, and seminar presentations at various industry conferences
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
All of the products in the ForgeRock Identity Platform support the bulk import and export of configuration artifacts and identity data. This can be achieved in a variety of ways.

Using ForgeRock's CREST (Common REST) API, configuration and identity data can be securely exported in a standard JSON format. ForgeRock Access Management ships with the Amster command line tool that allows an entire Access Management configuration to be exported/imported to JSON files, including all resources sets and policy rules.

User data stored in an ForgeRock Directory Services LDAP repository can be retrieved by an appropriately authenticated user through either LDAP or REST calls.
ForgeRock Identity Management supports various connectors, which allow data to be imported from source systems and exported to target systems. Connectors are also provided for CSV and XML import and export.

ForgeRock's products have been designed from the ground up. Built on open standards, they have been designed to be as open as possible. This significantly reduces the risk of vendor lock-in. If in the future a customer wanted to migrate away from ForgeRock products then there is nothing that would hinder or prevent that.
End-of-contract process
The contract is based on an annual software licence with an integrated support service. Contracts can be renewed or cancelled annually.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Yes
Compatible operating systems
  • Linux or Unix
  • Windows
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
ForgeRock Identity Platform services are consumed either through a device agnostic and responsive web based UI, our SDK or REST APIs. In all cases the same services are available across all types of devices.
Service interface
Yes
Description of service interface
Administration of the ForgeRock Identity Platform can be achieved through a fully featured device agnostic and responsive user interface (UI), via the common REST API, via command-line/scripts, and via configuration files.

The graphical UI allows an administrator, or group of administrators, to manage all aspects of the platform, including authentication flows, authorization policies, federation configuration, data stores, synchronization/provisioning, attribute mapping, end-user management, and all other aspects of the platform.
Accessibility standards
None or don’t know
Description of accessibility
All ForgeRock Identity Platform components endeavor to comply with accessibility standards such as Section 508, WAI-ARIA (Web Accessibility Initiative - Accessible Rich Internet Applications) or more recently WCAG (Web Content Accessibility Guidelines) 2.0 Level AA compliance. In conjunction with system accessibility tools this enables users to navigate around the entire product set. For example, user-facing web pages are appropriately marked to allow accessible tools to read them.

Similarly, ForgeRock mobile applications are developed to work in conjunction with mobile platform capabilities to meet accessibility needs.
Accessibility testing
None
API
Yes
What users can and can't do using the API
One of the unique features of the ForgeRock Identity Platform is that all components of the platform share a single, easy to use RESTful web API framework, known as ForgeRock common REST (CREST).

CREST defines an API, which is intended for common use across all ForgeRock components and for invoking underlying services across the platform. It includes a set of easy to remember REST calls to Create, Read, Update, Delete, Patch, Action and Query (CRUDPAQ) identity objects and services.

APIs can be used to:

* Fully deploy the platform and all functionality and features
* Manage the user and identity lifecycle
* Read, write and synchronise data to and from the platform
* Configure and administer the platform
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
  • PDF
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
The ForgeRock Identity Platform is modular and pluggable by design for the purposes of adapting or extending behaviour and functionality.

Many areas of functionality can be adapted or extended by administrators or system integrators through the use of simple scripts written in JavaScript or Groovy. The platform defines Service Provider Interfaces (SPIs) where you can integrate your own extensions and plugins.

There are many adaptable components of the platform, common ones include:

- Scripted authentication nodes
- Post authentication classes
- SAML2 SP adapter class
- IdP adapter class
- Identity Provider (IdP) finder class
- Access token scripts
- OAuth scope implementation class
- Directory Services server-side Java plugins
- Email message implementation class
- Custom OIDC claim provider
- ForgeRock Identity Management custom REST endpoints
- ForgeRock Identity Management scripting

Aspects of the platform which can be adapted are fully documented and include documented APIs where appropriate.

Sample code is provided and can be used as a reference or starting point for customisation. The platform has been specifically engineered for flexibility and appropriate safeguards are in place, for example scripting sandboxes and whitelisting.

Scaling

Independence of resources
ForgeRock platform can effortlessly scale to many millions of identities. Our average customer is leveraging our solution for 1M+ user identity requirements, with several customers approaching or exceeding 100M.

As a managed service the ForgeRock platform can be deployed using DevOps technologies into public cloud and scale elastically as required.

ForgeRock's PaaS solution uses tenant isolation in a multi-tenant service utilising individual trust zones, to provide scalability, from a few thousand to hundreds of millions of users.

Analytics

Service usage metrics
Yes
Metrics types
ForgeRock monitoring is designed to allow alerting on the availability, system characteristics, performance and events. Examples could be high cpu, low memory, or higher in the stack, and failed critical transactions.

The ForgeRock platform uses Dropwizard's Metrics as its common Prometheus can be used to monitor published metrics over REST, and you can then extend this further by using tools such as Graphite and Grafana.

Audit logs gather information about events such as authentication, system access, user and administrator activity, errors, and configuration changes. Logs are commonly consumed by third-party SIEM solutions, such as FireEye®, Guardian Analytics®, Logstash and Splunk.
Reporting types
  • API access
  • Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
No
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
The ForgeRock Identity Platform provides a comprehensive GDPR-ready user Profile and Privacy dashboard. Through this dashboard users can manage their own profile details, manage applications which they have consented to, manage how they choose to share data and with whom, and manage what personal data is shared with external databases such as marketing automation platforms. It also addresses many other user requirements of GDPR, including giving users the ability to save their profile data locally and the right to delete their profile.
Data export formats
Other
Other data export formats
JSON
Data import formats
  • CSV
  • Other
Other data import formats
JSON

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
ForgeRock provides a 99.9% uptime SLA. If ForgeRock does not fulfill its Availability SLA obligations, then Customer may be entitled to Service Credit(s).
Approach to resilience
ForgeRock Identity cloud leverages regional clusters to increase the availability of both a cluster's control plane and its nodes by replicating them across multiples zones within a region. We leverage the strengths of in-region protection within our infrastructure provider for these capabilities.
Outage reporting
ForgeRock Identity cloud provides a dashboard for all customers to review their current environment uptime and see if there are any outages. Customer impacting outages are also notified via email alerts.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
  • Other
Other user authentication
ForgeRock Intelligent Authentication addresses the balance between the need for administration of more secure, risk-aware authentication scenarios, while still maintaining a friction-free login experience for users.

Delivered through a trees framework, Intelligent Authentication provides a platform for modelling the authentication journey using nodes to detect digital signals, make decisions, and direct the authentication accordingly. Decision nodes are configured to direct the journey, gathering information along the way. This information is not only used to determine risk, but can also be used to inform downstream apps of the accumulated knowledge gained during the authentication journey.
Access restrictions in management interfaces and support channels
Administrators can delegate responsibility to other administrators that limit the scope of their abilities based on specific criteria designated at the time of creation. With these limits in place, the administrators of the application can choose what customers and what data the administrator will have access to. In a scenario where a customer needs to provision access for troubleshooting a break-glass scenario is in place. The break-glass account is for use only in emergency situations where ForgeRock has lost access to the service, or is at imminent risk of doing so.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Username or password
  • Other
Description of management access authentication
ForgeRock Intelligent Authentication addresses the balance between the need for administration of more secure, risk-aware authentication scenarios, while still maintaining a friction-free login experience for users.

Delivered through a trees framework, Intelligent Authentication provides a platform for modelling the authentication journey using nodes to detect digital signals, make decisions, and direct the authentication accordingly. Decision nodes are configured to direct the journey, gathering information along the way. This information is not only used to determine risk, but can also be used to inform downstream apps of the accumulated knowledge gained during the authentication journey.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
The ForgeRock Board of Directors has the overall responsibility to provide management direction and support for information security in accordance with the business requirements and relevant laws and regulations.

The Chief Information Security Officer (CISO) is the owner of ForgeRock Information Security Management System (ISMS) and all security policies, with all changes to ISMS and security policies being reviewed and approved by the CISO. The CISO leads the Enterprise Security team to ensure ForgeRock’s security practices conform to international standards and are validated by regular audits.

A senior executive leadership team forum called the Privacy and Security Governance Board (PSGB) reviews and authorizes initiatives to strengthen security and privacy within the organization where necessary as well as constantly monitor and review substantial changes of threats against ForgeRock information assets.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All ForgeRock System Administrators follow the principles set out in ForgeRock Information Security Management System (ISMS) :
* All proposed major changes are communicated to all relevant stakeholders;
* The Enterprise Security team is always one of the stakeholders.
* All major changes are documented and reviewed and authorized by senior management
* Rollback plans or emergency procedures are created to revert changes if necessary;
* Duties and responsibilities are separated for all systems, services, and applications
* Development, testing, and maintenance are separated from operations to reduce the risk of unauthorised access or changes
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
ForgeRock deploys automated vulnerability scanning of all production and Internet facing systems on a regular basis. All new systems and services are scanned prior to being deployed to production. Manual penetration testing both by internal security engineers and external penetration vendors is performed on new major systems and products or when major changes occur.

ForgeRock manages patches and vulnerability updates via standard change management practices where such updates and patches are reviewed for criticality and tested for business impact where appropriate prior to deployment according to emergency or scheduled deployment periods depending on the severity of each patch and vulnerability.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Where permissible by law, access and use of ForgeRock IT systems is logged, analysed and monitored to detect unauthorised information processing activities with usage and decisions traceable to a specific entity.
All substantial disruptions and irregularities of system operations are documented, along with potential causes of the errors. All security incidents are logged for all essential systems. System clocks are synchronized to the correct time to allow for accurate security monitoring and investigation. Chain of custody procedures are established to preserve security incident evidence for sharing with government entities or litigation.
Incident management type
Supplier-defined controls
Incident management approach
ForgeRock Enterprise Security team has established and regularly reviews and tests incident management plans and procedures to respond to security incidents, including having contracts with appropriate third-party vendors to help with investigation or resolution of potential incidents. As soon as a security incident is suspected to have involved any compromise or access to customer or supplier data an incident notification process is started and maintained with all potentially affected parties until brought to a resolution.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£0.25 to £9.50 a user a year
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
Full access to platform modules
Link to free trial
https://developer.forgerock.com/trial-registration

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at keith.dear@forgerock.com. Tell them what format you need. It will help if you say what assistive technology you use.