Open Identity Stack. Forging a New Future with Identity Relationship Management

Transcription

1 White PaPer Open Identity Stack Forging a New Future with Identity Relationship Management 1. Executive Summary 2. Introduction 3. Business Pain Points 4. Business Trends 5. The Open Source Solution 6. The ForgeRock Model 7. Business Model 8. Conclusion

2 Open Identity Stack Forging a New Future with Identity Relationship Management 1. Executive Summary Identity and Access Management (IAM) services were traditionally built for a company s internal use, to assist with manual on and off boarding, and establishing access privileges to company data and systems behind the firewall. Today though, a company must implement a dynamic IAM solution that serves employees as well as customers, partners, and devices, regardless of location. ForgeRock embraces this shift from internal, on-premises IAM to Identity Relationship Management (IRM): public-facing, secure, and accessible identity as business enabler. ForgeRock s next-generation IRM platform is designed to empower CEOs and enterprises to engage with consumers via new revenue-generating services, while continuing to maintain our proven traditional IAM capabilities. 2. Introduction Business, education, and government institutions use identity management platforms to regulate individuals identities and their associated attributes, credentials, and entitlements organization-wide. Today, identity relationship management is necessary both on and off-premises, increasingly important for managing users in mobile, social, and cloud environments. Legacy identity management solutions were not built for cloud compatibility, device-agnostic access, high volume, or consumer engagement, and most were built by acquisition, rather than designed to work as a cohesive whole. This makes them inherently: static limited in scalability difficult to implement hard to exit complex to integrate inaccessible to most developers heavyweight unconscionably expensive Solutions must be flexible enough to support new consumer-facing mobile, social, web, and cloud app projects, while providing seamless integration with legacy systems. Platforms should be purpose-built to work together anywhere, so clients are never saddled with the costs of acquisitions. Agile organizations need solutions that are: adaptable highly scalable simple to implement exitable modular developer-friendly lightweight cost-effective Identifying and targeting these solution benefits is especially critical now, during this transition period from traditional, on-premises IAM to mobile, social, web, and cloud-compatible IRM platforms, as businesses make decisions about their future identity strategy. Making a great identity decision will not merely protect a company s data; it will allow the organization to shift away from the burden of supporting legacy systems, to investment in solutions that accelerate innovation and drive top-line growth. 2 FORGEROCK.COM

3 3. Business Pain Points The legacy IAM pain points described above pose challenges for the enterprise in the following ways: Static Traditional IAM is designed for specific static events, but in today s IRM world, systems must understand and react to contextual circumstances to determine whether or not you get access, and if so, how much and to what. If you log in from a new device or from a different country, for example, a modern, adaptable IRM system will adjust to the uncertain circumstances and ask you for additional authentication beyond a simple password. Difficult to Implement Legacy IAM solutions, traditionally constructed through acquisitions, are chock full of varying APIs, documentation, libraries, and protocols with no consistent standard of operation. Developers waste valuable time learning how all the parts and pieces work, instead of modifying, customizing, and streamlining the platform to suit unique business needs. Complex to Integrate Proprietary IAM suites notoriously demand a rip and replace migration process from clients existing platforms. Proprietary code is hidden from developers looking to incorporate new solutions into existing IAM strategies, and is not designed to be customizable or play well with others. Traditional IAM, typically built piecemeal through acquisitions and tacking on parts as needs arise, struggles to respond to the multitude of users, circumstances, devices, access points, and access privileges that dominate today s IRM world. Heavyweight Designed for the old world of on-premises IAM security, these solutions generally rely on heavyweight APIs and complex standards that are only accessible to developers and architects with specialized identity knowledge. Limited in Scalability Traditional IAM platforms were designed to protect the security perimeter and employees only, making them difficult to adapt for the modern enterprise, which must maintain mobile, web, social, cloud, and on- premises identity data simultaneously in order to satisfy client, customer, and employee IRM needs. As the number of users grows exponentially, modern IRM systems must be able to accommodate hundreds, thousands, or even millions of additional identities instantaneously, achieving a scalable volume that was neither possible nor needed for the enterprise, but is essential in an Internet-connected, consumer-facing world. Hard to Exit Proprietary solutions are infamous for rip and replace migration strategies and vendor lockin contracts. Once an enterprise has experienced the lengthy, painful process of moving all IAM data and operations to the new platform, they are unlikely to want to repeat the process again soon, whether or not they are satisfied with the platform. And when the contracts come up for renewal, high-pressure legal tactics are used to force enterprise customers to immediately renew in order to avoid use of the product in breach of contract. Inaccessible to Developers Legacy IAM platforms built by acquisition are saddled with a whole host of disparate APIs, libraries, documentation, etc, hindering the developer s ability to learn, make adjustments, tailor solutions, and teach others to use the platform. Proprietary code gives developers limited maneuverability. Unconscionably Expensive Contracts with legacy vendors famously begin with a discount, but then quickly ramp up in maintenance and subscription fees, gouging customers for every feature and upsell. High-pressure tactics are used to elicit renewals at a significantly higher price point, and clients are hesitant to go through another round of painful rip and replace migration. The costs are always high because the customer pays for the acquisitions that built their IAM platform. 3 FORGEROCK.COM

4 4. Business Trends Though enterprises tolerated the challenges of legacy IAM platforms in the past, they now face a greater and growing need for highly effective IRM solutions, internally and externally. The number of users, devices, and identities to manage is growing exponentially, increasing numbers of applications are moving to the cloud and other devices, and CEOs are determined to engage with consumers in order to drive top-line revenue and maintain an edge over the competition. Today, effective security demands integrated, contextual, and highly scalable identity data, efficient, consumer-facing services, and developer-friendly ways to support the growing milieu of users, devices, (laptops, phones, touchpads, cars, etc.), and mobile, social, web, and cloud applications (on or off premises). CIOs must invest in IRM solutions because identity management is now a business driver that touches customers, partners, employees, and users, directly impacting top line revenue. This is the evolution of IAM to IRM: Identity Relationship Management. This shift in business emphasis has a direct technical impact on how we think about identity and access management. Managing risk, privacy, auditing, reporting, and compliance are ongoing costs of business that an effective identity management strategy should continue to address. The right identity relationship management solution will also actively contribute to essential top-line growth by adhering to the pillars of IRM outlined below: Pillars of IRM Business Pillars 1. CONSUMERS AND THINGS over employees 2. ADAPTABLE over predictable 3. TOP LINE REVENUE over operating expense 4. VELOCITY over process Technical Pillars 5. INTERNET SCALE over enterprise scale 6. DYNAMIC INTELLIGENCE over static intelligence 7. BORDERLESS over perimeter 8. MODULAR over monolithic CONSUMERS AND THINGS OvER EMplOyEES Traditional IAM platforms were designed for on-premises employee use and are unable to provide the quick, secure, and device-flexible IAM experience customers are looking for. Modern identity management must manage access privileges for all stakeholders across a variety of devices. ADApTABlE OvER predictable Unlike traditional IAM designed for specific static events, IRM must understand contextual circumstances. For example, a user logging in from a different device or location should have access to the information they need. TOp line REvENUE OvER OpERATING ExpENSE IAM has always been viewed as a necessity for employees and therefore a business cost. In today s world, the security system is used to authenticate and authorize both consumers and employees. If an IRM solution is efficient, secure, and accurate, it can directly contribute to a business top line revenue, as customers will have easy access to secure applications where they can buy services. 4 FORGEROCK.COM

5 velocity OvER process AM has migrated from business cost to business driver. Companies suffer materially if their IAM solution takes too long to deploy, adapt, or respond to user events. Employees had to put up with slow IAM systems, but customers don t and won t. Modern IRM serving employees, customers, and devices must instantly react to variable circumstances and events, and must be massively scalable and available so that no user ever waits around or worse, is shut out. CIOs today make IRM decisions based on speed, ease of use, and the ability to scale to handle customer volume not based on implementation and cost of deployment. This shift in business emphasis has a direct technical impact on how we think about identity and access management. Through this shift we have come to value: INTERNET SCAlE OvER ENTERpRISE SCAlE Today s users access secure systems not just on premises, but in the cloud and via the Internet, any time, day or night. Today s users are not just employees logging on at work but also partners, customers, and devices signing in from anywhere. As the number of users grows exponentially, modern IRM systems must be able to accommodate hundreds, thousands, or even millions of additional identities instantaneously, achieving a scalable volume that was neither possible nor needed for the enterprise, but is essential in an Internet-connected, consumer-facing world. DyNAMIC INTEllIGENCE OvER STATIC INTEllIGENCE Traditional IAM was designed for a specific set of events employee on and off-boarding, for example, taking place in a predictable on premises work environment. Today s IRM must understand the circumstances in order to determine whether or not you get access, and if so, how much and to what? If you log in from a new device or from a different country, for example, a modern, adaptable IRM system will adjust to the uncertain circumstances and ask you for additional authentication beyond a simple password. BORDERlESS OvER perimeter Once upon a time, employees arrived at the office, logged into secure systems and logged back off at the end of the day. In today s work-from-anywhere culture, employees, as well as partners and customers need access from laptops, phones, tablets and even cars. They access secure data stored not only on company premises, but also in the cloud and hosted by SaaS providers. MODUlAR OvER MONOlITHIC Today s IRM demands are much more complex than those of traditional IAM. A good IRM solution is designed from the ground up as an integrated, cohesive stack that is purpose-built to handle complexity. Traditional IAM, typically built piecemeal through acquisitions and tacking on parts as needs arise, struggles to respond to the multitude of users, circumstances, devices, access points, and access privileges that dominate today s IRM world. As more people, devices and things are assigned identities across networks, IRM services that are simple, flexible, scalable, and designed to quickly verify identities and access privileges become imperative for any business to safely and efficiently engage with their customers. Today s solutions must link devices laptops, phones, touchpads, cars and new mobile and social apps to a single security platform that works all the time, everywhere, on premises or off in the cloud. Our Open Identity Stack is designed with this new reality in mind. 5 FORGEROCK.COM

6 5. The Open Source Solution The open source model addresses many of the IAM pain points businesses currently experience, and caters to the pillars of IRM outlined above. Open source software is not proprietary, and procurement is simple: users just download the code and use it for proof of concept and testing straight out of the box, for free. It allows an organization to experiment with the code before deciding it provides an ideal IRM solution allowing them to innovate in the IRM sector where their competitors cannot. Once ready to design, architect, and deploy, users simply purchase a subscription license. ForgeRock provides a bundled offering, where a subscription provides enterprise customers with a software license, maintenance releases, global support, and legal indemnification, giving you the power, protection, and insurance you need for a successful deployment. And at the end of the day, there is no barrier to exit. Any enterprise with a subscription is able to use as much or as little of the open source code as they like, pairing it with proprietary solutions, using it in part, or using the whole suite straight out of the box. This open model comes with code that is flexible and adjustable by design. It s also great code: developers are notoriously hesitant to release code with their name on it without thoroughly vetting it first, lest they lose credibility with the entire community, who can see all of their work. More eyeballs also means fewer bugs and quicker fixes, making open source code the safest code available. The ForgeRock global team of developers and active and engaged community members work together to develop fixes, innovations, and stable new releases faster than anyone else on the market, maximizing quality, efficiency, and value. It also provides a development model where organizations can commit code tailored to their needs back to the project, where it must pass a rigorous QA process, providing a level of participation and influence that is not possible with proprietary offerings. The beauty of open source is that modifications of general interest will be vetted and then accepted into the code base by the community, diminishing the need for additional development staff on the part of the customer, and expensive requests for custom code from proprietary vendors. Over time, open source has the power to bring identity and access management code development for the majority of companies big and small into alignment, thereby establishing a safe, useful, efficient, transferable, and elegantly architected IRM standard. As a large telecom with an extensive IT environment and needs, we value having access to the source code. KEVIN HIGGINS, Telecom NZ The open source model presents a highly attractive alternative as enterprises seek out lightweight, flexible IRM solutions that can accommodate anytime, anywhere, any device consumer-facing projects, in addition to traditional on-premises needs. 6 FORGEROCK.COM

7 6. The ForgeRock Model ForgeRock is committed to the development of identity relationship management through the creation of simple, open source, developer-friendly identity solutions that we call the Open Identity Stack. A single, common programming interface enables simple access to OpenAM, OpenIDM, and OpenDJ, so that each delivers rich, modular, massively scalable, lightweight identity relationship management services. Removing the complexity of the underlying services with multiple tiers of API abstraction (See Table 1: Developer API Tiers) is a significant advantage to developers and the business. Now for the first time, a developer can utilize reusable shared services across an entire identity platform, whatever the requirements of the application strategy. This is a completely different model from the standard legacy provider approach, which requires developers to bend applications to support the vendor. The ForgeRock developer-centric approach and common API development platform is changing what was once costly and complex into easily accessible and reusable solutions that companies can implement safely and efficiently, whether internally or externally, in order to effectively drive top line revenue. Table 1: Developer API Tiers Tier 1 ARCHITECTURE Lightweight and simple Common APIs across stack Program language agnostic >>> Simple REST Services Tier 2 IDENTITy STANDARDS Standards based services Reusable and scalable Interoperable and open >>> KEy Standards (SAMl, OAuth2.0, SCIM WS*, OpenID Connect) Tier 3 plugins AND CONNECTORS No need to touch application Abstracted security Scalable and robust >>> Applications 7 FORGEROCK.COM

8 The Open Identity Stack Shared Services-Based Architecture Diagram 1: Open Identity Stack Shared Services The Open Identity Stack is a shared services-based architecture for managing the complete lifecycle of an identity and its ongoing usage, including the attributes, credentials, and entitlements; the real-time controls for access based on attributes, role, entitlement, and context; and the administration and reporting of those activities. The architecture has many shared services that span the three core products, making it easier to develop, implement, manage your deployment. These services (See Diagram 1: Open Identity Stack Shared Services) include a common RESTful API, registration, and standards-based services such as OAuth2.0, among others, along with a common lightweight UI model to help integrate the internal Open Identity Stack components as well as external systems, and provide a unified experience for developers and administrators. The Open Identity Stack is 100% open source and consists of the following solutions: OpenAM is an open source Authentication, Authorization, Federation, Web Services Security, Fine-Grained Entitlements, and Adaptive Authorization solution. It also includes application and web container policy enforcement agents. Packaged with OpenAM, OpenIG (Identity Gateway) is a high-performance gateway with specialized session management and credential replay functionality. OpenIDM is an open source User Administration and Provisioning solution. OpenIDM uses the Open Identity Connectors Framework and Toolkit (OpenICF) to aid development of resource connectors. OpenDJ is the first directory server to provide native support of the REST API. It is an open source LDAP directory service with a high-performance, highly available, secure directory server, built-in data replication, client tools, and a developer- friendly LDAP SDK. Access is provided via LDAP, Web Services, and REST API. 8 FORGEROCK.COM

9 OpenAM Overview: OpenAM was designed in response to a milieu of access management suites that were pieced together through acquisitions, creating an accidental architecture that complicates deployment and passes integration costs on to customers. Based on the Sun OpenSSO codebase, OpenAM (See Diagram 2: OpenAM Functional Architecture) is an All-In-One access management platform for protecting any type of resource across enterprise, cloud, social, and mobile environments. What has traditionally been delivered by legacy identity vendors as six different products SSO, adaptive authentication, strong authentication, federation, web services security, and fine-grained entitlements is delivered as a single, unified offering. Organizations can use the access control services they need and simply turn on additional services when ready. The solution has an inherently unique architecture to support use cases from complex enterprise access control, to multiprotocol federation, to enabling SSO for cloud systems. At the highest level OpenAM consists of a single, self-contained Java application; service components such as session management; client side APIs in C, Java, REST; service provider interfaces to enable custom plugins; and policy agents for web and app server containers to enforce access policies to protected web sites and web applications. Organizations with existing internal access management solutions can easily integrate OpenAM into their environment through API services or through the token translation service. Maintaining all installation and configuration capabilities within one application vastly simplifies deployment. In addition, agent configuration, server configuration, and other tasks are simplified to be repeatable and scalable, so multiple instances of the solution can be deployed without additional effort. The embedded OpenDJ directory server eliminates the need to configure a separate directory to support the configuration and user stores, or if desired, users can utilize other LDAP directories such as Sun DSEE or databases. Diagram 2: OpenAM Functional Architecture UI Layer Management End User Protected Resources Layer Web Agents JavaEE Agents WS Agents Access Layer Common REST OpenID Connect OAuth2 SAML WS Services Layer AuthN Federation Adaptive Risk AuthZ Session Management SSO Entitlements Password Management Logging Data Persistence Layer External Layer Authentication Systems User Directory Stores Reporting Tools SIEM, Analytics Tools 9 FORGEROCK.COM

10 Key OpenAM Features: Authentication: With over 20 out-of-the-box authentication methods supported, OpenAM has the flexibility to chain methods together along with Adaptive Risk scoring, or to create custom authentication modules based on the JAAS (Java Authentication and Authorization Service) open standard. Windows IWA is supported to enable a completely seamless heterogeneous OS and Web application SSO environment. Authorization: OpenAM provides authorization policy from basic, simple, coarse-grained rules to highly advanced, fine-grained entitlements based on XACML (Extensible Authorization Mark-Up Language). With the ability to abstract authorization policy away from the application, developers can quickly add or change policy as needed without modification to the underlying application. Adaptive Risk Authentication: The adaptive risk authentication module is used to assess risks during the authentication process, to determine whether to require that the user complete further authentication steps. Adaptive risk authentication determines, based on risk scoring, whether more information from a user is required when they login. For example, a risk score can be calculated based on an IP address range, access from a new device, account idle time, etc., and applied to the authentication chain. Federation: Federation services securely share identity information across heterogeneous systems or domain boundaries using standard identity protocols (SAML, WS-Fed, OpenID Connect). Quickly setup and configure service provider or cloud service connections through the Fedlet, OAuth2.0 Client, OAuth2.0 Provider, or OpenIG Federation Gateway. OAuth2.0 support is an open standard for modern federation and authorization, allowing users to share their private resources with tokens instead of credentials. Unique to OpenAM, the OpenIG Federation Gateway provides a SAML2 compliant enforcement point to and allows businesses to quickly add SAML2 support to their applications with little to no knowledge of the standard. In addition, there is no need to modify the application or install any plugin or agent on the application container. Out-of- the-box tools enable simple task-based configuration of Google Apps, ADFS2, along with many other integration targets. OpenAM can also act as a multi-protocol hub, translating for providers who rely on other, older standards. Single Sign-On: OpenAM provides multiple mechanisms for SSO, whether the requirement is enabling crossdomain SSO for a single organization, or SSO across multiple organizations through the Federation Service. OpenAM supports multiple options for enforcing policy and protecting resources, including policy agents that reside on web or application servers, a proxy server, or the OpenIG (Identity Gateway). OpenIG runs as a selfcontained gateway and protects web applications where installing a policy agent is not possible. High Availability: To enable high availability for large-scale and mission-critical deployments, OpenAM provides both system failover and session failover. These two key features help to ensure that no single point of failure exists in the deployment, and that the OpenAM service is always available to end-users. Redundant OpenAM servers, policy agents, and load balancers prevent a single point of failure. Session failover ensures the user s session continues uninterrupted, and no user data is lost. Developer Access: OpenAM provides client application programming interfaces with Java and C APIs and a RESTful API that can return JSON or XML over HTTP, allowing users to access authentication, authorization, and identity services from web applications using REST clients in their language of choice. OAuth2.0 also provides a REST Interface for the modern, lightweight federation and authorization protocol. 10 FORGEROCK.COM

11 Customer Use Case THE CHAllENGE: CUSTOMER: Government of Norway Providing 4M citizens access to 300+ Government services online Deliver secure government services to Norwegian citizens and businesses so they can do things like obtain birth and death certificates, apply for schools and student loans, manage welfare services and health information, and pay parking tickets, automobile registration fees, utility bills, and taxes online. THE SOlUTION: Implement a flexible, secure, single-access architecture built with ForgeRock OpenAM to enable nearly 100% of citizens to access over 300 government services. OpenAM s simple, secure access to government services played a large part in the success of the egovernment initiative. TOR ALVIK, COO, Agency for Public, Management & egovernment HOW: The hub, ID-Porten, is at the center of the architecture. Government agencies such as the tax office, labor and welfare agency, health economics administration agency, and water and energy directorate, are the spokes that use the authentication and single sign-on services of ID-Porten. The ID-Porten implements several levels of authentication: MyID which uses PIN code authentication; BankID a bank- issued electronic ID; Buypass, a private electronic ID that can also be used to bet online in Norway; and Certificates which are stored in USB pens and issued by a private company. Each of the authentication eids can be associated with different authentication contexts and different authentication strengths. BENEfITS: Nearly 100 percent of adult citizens and over 500,000 businesses now access municipal, regional, and national government services from a single portal online, resulting in better security, faster processing times, and measurable savings. Scalability and performance. ID and the authentication environment can handle more than one million users signing in on a single day without outages or degradation in performance, like on the day taxes are due. OpenDJ Overview: OpenDJ is the only 100% open source, lightweight, embeddable big data platform for easily sharing real-time user identity data across enterprise, cloud, social, and mobile environments. Recognizing that traditional approaches to accessing identity data are overly complex, OpenDJ provides developers with choice. Developers no longer need to be LDAP experts. OpenDJ lets developers choose either LDAP or REST to access identity data using a single solution that can replicate data across on-premise and off-premise applications. OpenDJ combines the security of a proven directory with the accessibility of a database. OpenDJ is an LDAPv3 and REST compliant directory service, developed for the Java platform, providing a high- performance, highly available, and secure store for the identities managed by your organization. Easy to install and configure, and combined with the utility of the Java platform, OpenDJ is the simplest, fastest directory to deploy and manage. Core to the management of identity information, OpenDJ directory services are used in many different use cases whether it is for a large-scale cloud service directory, a consumerfacing directory, or an enterprise or network operating system (NOS) directory. With a 100% Java code base, OpenDJ runs on many platforms, including virtualized environments. All software and data are architecture-independent, so migration to a different OS or a different server is as simple as copying an instance to the new server. This increases the deployment flexibility, as well as the portability between different operating systems and system architectures. 11 FORGEROCK.COM

12 Diagram 3: OpenDJ Functional Architecture UI Layer Management End User Access Layer Common REST LDAP SDK LDAPv3 Services Layer REST2LDAP Access Control Password Policy Groups Schema Management Caching LDAPv3 Replication Monitoring Auditing External Layer Active Directory Samba User Directory Stores Reporting Tools SIEM, Analytics Tools Key OpenDJ Features: Performance: OpenDJ is optimized for performance at scale with data integrity and security. With millisecond response times and read/write performance in the 10 s of thousands per second, OpenDJ satisfies the most rigorous performance requirements across industries from telecom and financial services to large-scale consumer-facing applications. Replication Services: By replicating data across multiple directory server instances, key user data is preserved in case of an outage. OpenDJ provides advanced replication options including multi-master, fractional, and assured. N-Way multi-master replication provides high-availability and disaster recovery capabilities. Fractional replication enables only specific attributes to be replicated and assured replication can be used to guarantee data availability even in the remote case of a server crash. Security: OpenDJ stores identity data securely, with varying levels of authentication and authorization, including SSL, StartTLS, and certificate-based. It protects passwords through encryption and advanced access control security policies. All configuration changes are audited and archived, offering easy rollback to a working configuration. Delegated Authentication: OpenDJ permits delegate authentication to another LDAP directory service, such as Active Directory, with a feature called pass-through authentication. The key benefit of pass-through authentication is to remove the security risks associated with synchronizing passwords (including possible capture and transfer of clear text passwords). With pass-through authentication, OpenDJ replays a user s simple bind operation against the remote directory service. If the bind is successful, OpenDJ considers the user authenticated to perform subsequent operations like searches and updates in OpenDJ. Password Policy: OpenDJ password policies govern not only passwords, but also account lockout, and how OpenDJ provides notification about account status. 12 FORGEROCK.COM

13 Administration: The OpenDJ GUI-based installer and control panel simplifies installation and server configuration down to a few minutes. The command line utilities enable complete access to all server management controls and monitoring locally or remotely. OpenDJ also offers advanced backup and restore functions such as automated, compressed, signed, and encrypted backups that improve data reliability and security. Monitoring: By supporting the widely adopted monitoring standards SNMP and JMX, OpenDJ can easily integrate into your existing monitoring infrastructure. Configure custom alerts to inform administrators about specific directory service events such as password expiration, access controls disablement, backend database corruption detection, and much more. Developer Access: OpenDJ provides data access through multiple protocols: REST, LDAP, and Web Services. It fully complies with LDAPv3, and DSMLv2 standards to ensure maximum interoperability with client applications. The OpenDJ SDK provides a high-performance, easy-to-use library of classes and interfaces for accessing and implementing LDAP directory services. Customer Use Case CUSTOMER: ABOUT ZIGGO: ZIGGO Customer services move from Sun to OpenAM & OpenDJ Ziggo is the largest media and communication services provider in the Netherlands. Ziggo serves 7 million users in 3 million households, 1.9 million broadband Internet customers, 2.3 million digital television customers, 1.6 million telephone subscribers, and 1.4 million bundle customers on a 98% fibre network. Ziggo s products and services for small and large business markets comprise telephone, data communication, and electronic payment systems. THE CHAllENGE: Ziggo needed to launch new customer services, including federation support for business partners and fine-grained access management for customers, that their deployment at the time could not handle. The directory server contained 2,500,000 identities that needed to be synchronized and available in real-time, throughout 3 geo-separated data centers, in order to ensure high availability. And, Ziggo had to maintain live functioning of core business during the transition, so it was vital for Ziggo to migrate the entire directory server dataset with no loss of service. THE SOlUTION: OpenAM was used to replace SunAM and included existing and new features like SAML 2.0. OpenDJ replaced Sun DSEE as the new directory server platform. All 2,500,000 entries were migrated and replicated across three geo-separated data centers, in a predictable and risk-managed fashion ensuring no loss of service. Previous customizations were also migrated to the platform and included in the new supported environment. A successful proof-of-concept (POC), where technical personnel from Ziggo worked closely with ForgeRock expertise during implementation, identified and resolved all pitfalls in advance of go-live. Using OpenAM and OpenDJ has enabled us to move much faster and more effectively in the demanding world of access management; the migration itself was fast, simple, straightforward and trouble-free. J. TEN BRINK, Senior System Specialist, Ziggo Multiple integration points and custom components needed to be transitioned. 13 FORGEROCK.COM

14 OpenIDM Overview: OpenIDM is a response to the pain organizations experience when deploying legacy enterprise provisioning solutions. These mostly proprietary solutions are monolithic, heavyweight, painfully slow to deploy, and outrageously expensive. Unlike legacy identity management solutions, OpenIDM is the only 100% open source, lightweight, provisioning solution purpose-built for Internet Scale. OpenIDM consists of modular identity services that are plug and play. For example, the solutions ships with Activiti as its Business Process Management (BPM) Engine. However, if you want to replace it with an alternative BPM engine, the modular architecture allows you to easily do so. In addition, OpenIDM has a simple REST API that is ideal for developers in need of provisioning across enterprise, cloud, social, and mobile environments. OpenIDM is a User Administration and Provisioning solution that addresses the challenges faced by organizations using legacy provisioning systems, by removing deployment complexity, proprietary scripting, business process modeling, and limited scalability. Because the Java-based architecture is built on the OSGi framework, OpenIDM (See Diagram 4: OpenIDM Functional Architecture) is able to provide lightweight, modular services such as automated workflow, user self-service, registration, password sync, data reconciliation, and audit logging, all accessible through developer-friendly REST API using standard Java development tools such as Eclipse, NetBeans, Spring etc. OpenIDM provides workflow-driven provisioning activities through an embedded workflow and business process engine based on Activiti and the Business Process Model and Notation (BPMN) 2.0 standard. The modular design of OpenIDM enables complete flexibility to use the embedded workflow engine and NoSQL database or replace with your own choice. In addition, with a small footprint, the entire OpenIDM service can itself be completely embedded and custom-tooled to the requirements of the target application. OpenIDM connects to external systems, databases, directory servers, and other sources of identity through the identity connector framework, OpenICF (Open Identity Connectors Framework). Historically, the reason for building an internal enterprise User Administration and Provisioning system was to connect to the HR system. Now with OpenIDM, organizations can support both internal employee systems and large-scale customer-facing applications for registration, user self-service, password reset, and user profile management. The object model is designed to support the methods the organization chooses to manage identity information. The options are to configure OpenIDM to create a virtual identity with links to external systems (data sparse model) or to create a meta-directory that centrally stores (data full model) a copy of identity attributes. 14 FORGEROCK.COM

15 Diagram 4: OpenIDM Functional Architecture UI Layer ForgeRock UI Framework Access Layer Common REST Business Logic Layer JavaScript Groovy Java Services Layer Provisioning Services Password Management Report & Audit Service Directory Service OpenIDM Repository Task Scanner Workflow Engine Policy Service External Resources Layer Key OpenIDM Features: Password Synchronization: OpenIDM password synchronization is a service that allows organizations to proactively manage user passwords to ensure uniformity across all applications and data stores such as Active Directory. With password synchronization, a user can authenticate using the same credentials on each synched resource. In tandem with the user self-service feature, OpenIDM significantly reduces helpdesk costs by automating password reset and enforcing centralized password policy. User Provisioning: OpenIDM provides a workflow engine and business process engine that support the create, update, and delete functions based on workflow-driven provisioning activities, whether for self-service actions such as a user request for access to an application, or an administrator running sunrise or sunset processes to handle bulk onboarding or off-boarding. To simplify defining workflows and business processes, the embedded Activiti module can be used for modeling, testing, and deployment. Activi supports BPMN 2.0 process definition models, which can not only exchange between different graphical editors, but can also execute as is on any BPMN 2.0-compliant engine. Synchronization, Reconciliation: In addition to passwords, OpenIDM has the ability to sync and reconcile other attributes including role and group data between connected systems. These functions are critical to ensure that identity information is clean, consistent, and accurate throughout the organization. OpenIDM has a 15 FORGEROCK.COM

16 flexible synchronization mechanism that provides for on-demand and scheduled resource comparisons and is a key process for audit and compliance reporting. Audit Logging: OpenIDM auditing can publish and log all relevant system activity to the connected systems. This includes auditing the data from the reconciliation process, access details, and detailed activity logs that capture operations with both OpenIDM and the connected systems. Auditing data can be generated for all the relevant reports, including orphan account reports, by running a report query or downloaded to other reporting tools. Cloud: With complete flexibility in data and object schema, the OpenIDM architecture enables support for both traditional on-premise applications as well as for cloud service providers such as Workday, Google Apps, and Salesforce.com. Using the REST API, OpenIDM is easy to configure straight out of the box, to provide user provisioning and administration services to cloud providers without complex customization. This simplifies account creation, updating, deleting, and auditing without the cost and overhead of deploying multiple systems. Developer Access: An access layer provides the user interfaces and public APIs for accessing and managing the OpenIDM repository and its functions. RESTful interfaces provide APIs for CRUD operations and for invoking synchronization and reconciliation for both HTTP and Java. Our pluggable server side scripting engine provides Javascript and Groovy out of the box. User Interfaces provide password management, registration, self-service, and workflow services. Customer Testimonials The industry shift to identity relationship management presents opportunities for ForgeRock s customers across the full spectrum of industry verticals, including among others financial services, telecommunications, retail, insurance, government, and education. The sampling of testimonials here speaks to the business value and revenue-growth opportunities driven by ForgeRock s consumer-facing IRM platform. Salesforce selected ForgeRock because [they are] highly scalable, easy-to-customize, [and] extend user identities beyond the traditional firewall and into the cloud. CHUCK MORTIMORE, VP Product Management, Salesforce Identity ForgeRock was a clear choice to support our IT infrastructure as we build out our new platforms. JON BERGMAN, Global Director Enterprise Applications & Governance, Axalta ForgeRock enabl[ed] mission critical business services while providing secure, seamless onboarding & access to our services. ANUP NAIR, CIO, Vantiv 16 FORGEROCK.COM

17 The migration itself was fast, simple, straightforward and trouble-free. J. TEN BRINK, Senior Systems Specialist, Ziggo Thanks to the integration with the existing Oracle SSO server and the federated SSO in ForgeRock OpenAM, end-users can log in to the web and cloud applications with full transparency, and without credentials growing out of control. RUUD STROET, ICT Architect, PLUS Retail ForgeRock understood what it meant to create a modern, best-in-class Web experience for our large and exceedingly diverse customer base. GREG KALINSKY, Senior Vice President & Chief Information Officer, GEICO ForgeRock is the technology foundation to our Sky ID service. CASPAR ATKINSON, Director Products and Identity, BskyB OpenAM s simple, secure access to government services played a large part in the success of the egovernment initiative. TOR ALVIK, COO, Agency for Public Management & egoverment The ForgeRock deployment will create a better user experience for customers and delivered strong backend support, while providing a flexible, architecturally elegant, & technologically superior solution for the company. MIKE WILSON, CISO, McKesson 17 FORGEROCK.COM

18 7. Business Model A ForgeRock Open Identity Stack subscription gives you unlimited rights to use our software in production and access to valuable support resources to aid you in planning and designing your mission-critical deployment. Our open model makes evaluation simple; just download our enterprise software and use it for proof-of-concept and prototyping new applications. Once you re ready to design, architect, and deploy, simply purchase a subscription and we will work with you to make sure your project is a success. Only ForgeRock subscription customers receive access to maintenance releases that include easy-to-deploy and tested patches and fixes. Subscription also gives customers access to product support professionals and resources to guide the design, architect, and deployment phases a must for any mission-critical deployment. Finally, legal indemnification safeguarding users in the event of a legal claim related to your ForgeRock subscription is also included. ForgeRock Services ForgeRock Support is optimized to put customers in touch with the expert that can help them. We offer global 24x7 support staffed in your local time zone, a flat structure staffed by development engineers, co-located support staff and engineering, and support staff evaluated on customer satisfaction, not ticket throughput. We know that minimizing your downtime means better access, availability, and more revenue. ForgeRock Professional Services provides responsive, high-impact services for mission-critical success. We understand that our customers want to get up-and-running rapidly so they can realize business impact and see results quickly. To enable this, we developed a suite of professional services that provide the best of our expertise in targeted offerings ready to be delivered straight away. Each of the seven service offerings is focused on one of the three major project lifecycle phases of Design, Build and Production and is offered at two levels: Foundation (usually 3 days) and Extended (usually 5 days) ForgeRock University offers a job-role driven curriculum for system integrators, consultants, administrators and developers who are working with our leading Open Identity Stack offering. This ensures that whatever role you have, you always have the right skills for the tasks. With course materials developed in partnership with the community leaders for each project, we offer the most comprehensive learning to support your deployment of the Open Identity Stack. 18 FORGEROCK.COM

19 8. Conclusion: The ForgeRock Advantage The open source identity relationship management platform developed by ForgeRock provides a vibrant alternative to traditional, proprietary IAM platforms. The Open Identity Stack is a simple, open, developer-friendly platform for building identity relationship management services for enterprise, cloud, social, and mobile systems. The Open Identity Stack enables agile business innovation with its modular, massively scalable, and lightweight infrastructure. For technical staff, the Open Identity Stack provides a simple, easy-to-use approach to delivering identity services for enterprise, cloud, social, and mobile applications. For CEOs, it provides a new, highly effective and reusable method of managing trust relationships with parties inside and outside of a company relationships that are now tied directly to the business top line. Why the Open Identity Stack is Unique It is the only 100% commercial open source identity relationship management stack available on the market today. The first to offer an agile, all-in-one, unified stack for rapidly building identity services that are lightweight, modular, massively scalable, and developer-friendly - built ground-up to work as a cohesive whole and connect enterprise, cloud, social, and mobile security strategies into a single, common platform to maintain enterprise-level security. Solution Benefits Unified Platform works as an efficient, cohesive whole to enable organizations to innovate anywhere, anytime, on any device, whether consumer-facing or employee-centric, to address major growth initiatives globally. Lightweight Infrastructure provides the flexibility to implement only what is needed when the business needs it nothing more, nothing less. Connected Security provides a solution to unite enterprise, social, cloud, and mobile security strategies into a single common platform. The first fully-developed IRM solution, it s efficient, secure, and accurate - it directly contributes to business top-line revenue by giving consumers easy access to secure applications where they can buy services. About ForgeRock ForgeRock is redefining identity and access management for the modern web including public cloud, private cloud, hybrid cloud, and enterprise and mobile environments, ForgeRock products support mission-critical operations with a fully open source platform. ForgeRock s Open Identity Stack powers solutions for many of the world s largest companies and government organizations. For more information and free downloads, visit or follow ForgeRock on Twitter at 19 ForgeRock is the trademark of ForgeRock Inc. or its subsidiaries in the U.S. and in other countries. FORGEROCK.COM