The Circle of Life: Protecting Your Sun IAM Investment with ForgeRock s Open Identity Stack (formerly Sun Open Source IAM)

White Paper The Circle of Life: Protecting Your Sun IAM Investment with ForgeRock s Open Identity Stack (formerly Sun Open Source IAM) 1. Overview 2. Understanding the Options 3. Solving the Customer Problem 4. ForgeRock Open Identity Stack 5. ForgeRock Sun Upgrade Offering: Make it Easy 6. Appendix: Product Comparisons

The Circle of Life: Protecting Your Sun IAM Investment with ForgeRock s Open Identity Stack (formerly Sun Open Source IAM) 1. Overview As many feared when Oracle acquired Sun Microsystems in 2009,Oracle has end-of-life d (EOL) the market-leading Sun Identity and Access Management (Sun IAM) platform which thousands of organizations have depended on to secure businesses-critical applications and services. Oracle has provided two alternatives to these Sun customers; stay on the Sun IAM platform and purchase an over-priced Sustaining Support contract, or move to the Oracle Fusion platform, a painful and costly process of ripping out and replacing their Sun IAM products. Fortunately, there is a third option that is cost-effective, has a minimal impact on your business and provides a path to modern IAM: the ForgeRock Open Identity Stack. Based on the Sun Microsystems open source IAM products, the ForgeRock Open Identity Stack is low risk upgrade.. Since it s inception four years ago ForgeRock has been busy adding new functionality and reliability to the original Sun IAM products. In the case of OpenSSO, for example, ForgeRock has written 100,000 lines of code, committed 10,000 code check-ins, and released 10 new versions of the product. Recently, ForgeRock launched the industry s first identity relationship management platform, focused on using secured, online identities to grow revenue, extend reach, and launch new business models. ForgeRock s Open Identity Stack powers solutions for many of the world s largest companies and government organizations. Founded in 2010, ForgeRock s leadership team brings 80 combined years of experience in the software industry and includes open source icons and innovators, with investors from two of the leading global venture capital firms Accel Partners and Foundation Capital. The following paper has been prepared to aid Sun IAM customers in understanding their options so they can make the best decision for their business. SUN IDENTITY AND ACCESS MANAGEMENT (SUN IAM) REPLACEMENT OPTIONS: Option 1 Stuck in Time: Oracle Sustaining Support Option 2 Rip and Replace: Oracle Fusion Replacement This option allows customers to continue running their existing Sun IAM deployment at an exorbitant cost. There are no innovations or new product releases. The offering grows stagnant and dated over time, eventually driving organizations to Option 2 or 3. This option requires customers to invest in completely new IAM infrastructure. This requires a rip and replace of existing Sun IAM infrastructure and expensive system integration costs to deploy a new platform. 2 FORGEROCK.COM

Option 3 A New Sun IAM Future: The ForgeRock Open Identity Stack Building on the Sun IAM source code, ForgeRock s Open Identity Stack allows for a hybrid model where organizations can directly upgrade portions of their portfolio to ForgeRock products, minimize service costs by avoiding rip and replace, and continue to build out their Sun IAM platform backed by a best-in-class identity and access management product development company. 2. Understanding the Options Option 1: Stuck in Time Oracle Sustaining Support Oracle s diminishing interest in the Sun IAM products became clear early on, when they announced plans to end full Premier Support of Sun IAM products starting in 2010, and then to end limited Extended Support by 2012 for all releases. It s critical to note that when a software product s end-of-life (EOL) date is announced, it signals a fundamental shift in investment on the part of the software vendor, Oracle in this case. Dedicated engineering resources for the product s development, maintenance, and QA are diverted to other projects. Only a skeleton crew of support engineers remain and customers no longer get software updates, upgrades, or patches for their software product. Oracle s lack of commitment to the Sun IAM products means that organizations relying on these products for mission-critical business processes are at high risk of failure and business interruption. Bottom line: if your systems go down, or something breaks because you upgraded an integrated third-party product, there won t be a team of experienced and motivated engineers to assist. You are on your own. Despite their own lack of resource dedication and commitment to Sun IAM, Oracle requires continuing Sun customers to purchase Sustaining Support contracts. In exchange for the customer s additional investment in Sun IAM, Oracle only promises to maintain the product in its current state (interminably) without providing any new updates, fixes, security alerts, data fixes, critical patch updates, upgrades, new technology, or paths forward. For customers running mission-critical identity and access management solutions, Oracle s Sustaining Support option is fraught with risk. ADDITIONAL INFORMATION ABOUT THE ORACLE SUPPORT OF IAM CAN BE FOUND AT: http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf http://www.oracle.com/us/support/library/lsp-middleware-chart-069287.pdf http://docs.oracle.com/cd/e19225-01/821-0095/6nl6192ea/index.html 3 FORGEROCK.COM

Option 2: Rip and Replace Oracle Fusion Replacement A second alternative is to move off of Sun IAM and onto Oracle Fusion. There are clear costs to this option, as it would mean a rip and replace of the Sun IAM product. For some organizations, this could mean millions in added consulting and software licensing costs. In addition to the steep financial costs, the Oracle Fusion option is time-consuming and risky for even the most experienced IT team. As we all know, there are times when rip and replace is necessary, but it s hard to justify unless there are compelling technical or business drivers. Since the Sun IAM portfolio is a best-of-breed offering with a strong install-base and successful deployments globally, many organizations are struggling to justify a rip and replace strategy that would move them to a monolithic and complex platform such as Oracle Fusion or similar traditional IAM platforms. Many Sun IAM customers are only considering a move off of Sun because they are being forced to by Oracle s end-of-life policies and inadequate support commitment not very compelling reasons for making such a significant architectural change. This compels us to a third option, the ForgeRock Open Identity Stack. Sun Microsystems Oracle ForgeRock OpenSSO OpenSSO OpenAM Sun Access Manager OpenSSO OpenAM Sun Identity Manager Waveset OpenIDM Directory Server Enterprise Edition Directory Server Enterprise Edition / Oracle Unified Directory OpenDS Directory Server Enterprise Edition / Oracle Unified Directory OpenDJ OpenDJ Option 3: A New Future The ForgeRock Open Identity Stack Formed from the roots of Sun s open source IAM products, ForgeRock continues to invest in and build out a best-of-breed stack based on the Sun IAM source code. ForgeRock not only continues to shepherd the Sun IAM product strategy, but is also comprised of many of the management, engineering, services, sales, and marketing leaders from the Sun IAM team. This means that organizations using Sun products don t have to choose between paying exorbitant fees for Oracle s Sustaining Support or ripping out and replacing their Sun IAM infrastructure for a completely new solution. The ForgeRock Open Identity Stack gives organizations the ability to minimize cost and risk while optimizing value. Sun IAM customers can continue to build next-generation features on top of their existing IAM investment with off-the-shelf products designed and developed by some of the great identity leaders from Sun. The ForgeRock Open Identity Stack is a full suite of identity products. The table below shows the progression from the Sun Microsystems and Oracle products to the corresponding ForgeRock products. 4 FORGEROCK.COM

A Better Business Partner ForgeRock offers the best option for Sun customers through our deep engineering expertise with the Sun IAM code base, our unique business model, and our highly differentiated open source development model. From a financial licensing and support perspective, ForgeRock is the antithesis of the traditional vendor approach. Our commercial subscription license gives customer access to unlimited support, patches / upgrades and hotfixes, community support, and legal indemnification. Our open source model also provides the added assurance that there s no vendor lock in and no barrier to exit. With closed-source vendors like Oracle, you will be locked into a platform with up to a 5-to-1 services-to-license cost ratio and even more expensive to rip out and replace. A Better Technology Choice From a technology perspective, organizations that have Oracle products know they are monolithic, heavyweight, and designed for the on-premise enterprise. Any Oracle migration is an expensive rip and replace proposition. Oracle IAM requires complex integration, has limited scalability, and remains inaccessible to most developers. That s because legacy vendors like Oracle buy identity products ad-hoc, glue them together, label them with an integrated marketing sticker, and mark up the price. Unfortunately, these acquired software products utilize different user interfaces, APIs, libraries, and install requirements, saddling companies with complex, time- consuming, and ultimately painful migration and integration processes. As a result, organizations have been forced to slow down the implementation of their identity infrastructure, and have spent an extraordinary amount of money in the process with limited success. Our Mission ForgeRock has taken a completely different approach to solving the IAM problem. Utilizing an open source development model, ForgeRock is revolutionizing IAM through the creation of a simple, open, developer-friendly identity services product stack. Our goal is to create a ubiquitous, unified open identity stack to replace traditional, proprietary identity management suites. ForgeRock has the only agile, integrated solution that s simple to implement and architected from the ground up for Internet scale. The bottom line is that migration to Oracle IAM products is only worth considering if you have significant Oracle application, middleware, and database investments. The following table details the unique ForgeRock value proposition: ForgeRock Legacy Vendors Integrated Platform We re the first company to design an integrated, open-source identity platform for enterprise, cloud, social, and mobile environments. Our products are purposebuilt to work together anywhere. Legacy vendors like Oracle have an accidental architecture built through acquisitions. This model passes those costs to the customer through deployment complexity and maintenance. All-in-One We provide the only all-in-one open identity stack on the market. Lightweight and flexible, you can use any part of our stack with all of your existing legacy products. We are an integrated stack yet legacy system friendly. Oracle markets their products as integrated, yet requires multiple, separate installations just to enable core product functionality. This is an unnecessary expense and a deployment hassle. 5 FORGEROCK.COM

Open Source With over 300,000+ downloads, we have a vibrant community that directly impacts how our software is developed. With the ability to inspect every line of code and view our 12-24 month roadmap, you can now transparently plan for the future and can decide at any time to continue or discontinue use of our suite. Legacy vendors like Oracle have proprietary, closed source products that block code inspection and lock you in to prevent any exit. This monolithic development and release process makes it difficult to vet the product, plan ahead, and focus on innovation and flexibility. Developer-Friendly Our identity solutions are unified, designed for the developer using a single, common programming interface (REST) and architected from the ground up for Internet scale. Oracle products were designed to support Fusion App platform products first, your application environment second. Providing simple API access to developers to enable easy integration is not part of their DNA. Pay at the Point of Value Download our products anytime, anywhere. We eliminate the complex licensing restrictions. You never pay for the cost of acquisition before you evaluate and test. Oracle requires upfront payment for the full deployment, yet getting to the production phase may take up to a year. Why pay in full for proof of concept or test or build? Speed to Market We deliver the latest stable product releases every six months compare that to legacy vendors standard 18-month cycle. This means you get new technology, standards, and features faster than anyone. Legacy vendors with proprietary products like Oracle have a standard 18-month development and release cycle. Why should you be penalized because they have a slow development and test process? Business Requirements Our architecture was purpose-built for enterprise, mobile, social, and cloud business requirements. Internet scalable, REST APIs for easy access, all-in-one unified platform for simple deployments. Designed to support Oracle Fusion apps first not next gen apps like mobile, social, or cloud. Products are not designed as a single, unified architecture, which means massive integration costs are passed to customers. No Barrier to Exit Open source provides assurance that if we re not for you, there s no barrier to exit and no vendor lock in. Proprietary vendor technology is designed to lock you in forever. This results in a high barrier to exit, up to 10x the original cost. 6 FORGEROCK.COM

3. Solving the Customer Problem Customer Profile: Multi-billion-dollar media services company that operates a multi-channel, multi-platform television service for over 10 million+ households delivering movies, news, entertainment, arts, and sports channels. Business Challenge: The customer had a legacy identity infrastructure that was approaching end of life in 2010 and kicked off a project to upgrade their Sun IAM technology. The goal was to leverage as much of the investment in the Sun IAM platform as possible while migrating to another solution. The biggest hurdle to migration was the risk that customers would not be able to access core services if a new vendor required a rip and replace transition. What the customer needed was a flexible technology platform, based on highly scalable products to support 15 million+ users with SSO, Access Management, and Directory Services, with minimal end-user disruption. IT Requirements: 24x7 support for a highly-available solution with more than 15 million+ users with peak concurrent usage in the millions Rapid transition to new platform while maintaining a live environment in production with minimal disruption to end-user services Flexible and highly customizable products which would be supported in production at an attractive TCO Project Details: The customer selected ForgeRock OpenAM and OpenDJ over Oracle technology, based on ease of developer access, projected implementation costs, and technically superior products. In early 2011 the customer began to migrate from Sun Access Manager and Sun DSEE to OpenAM and OpenDJ. With careful planning and preparation, the solutions were deployed to production, with ForgeRock providing expertise through technical support and incident management to minimize disruption to end-user services. Benefits: The customer was able to successfully upgrade complex Sun Directory Server, SSO, and Access Management infrastructure to ForgeRock OpenAM and OpenDJ. This protected the customer s previous investment in Sun technology, obviating the need to re-invest in a new technology platform. With expert assistance provided by ForgeRock throughout the process, the project was completed with minimal downtime and minimal user impact. The project completed on time and without incident, with OpenAM and OpenDJ demonstrating significant performance improvements against the legacy Sun DSEE and Sun Access Manager. The OpenAM and OpenDJ project involved the migration of more than 12 million user identities, multi-master replication across 6 directory instances, and a multi-site deployment in two data centers running at high availability. The upgrade allowed a seamless transition for end-users, and was completed in a live production environment. 7 FORGEROCK.COM

4. ForgeRock Open Identity Stack The ForgeRock Open Identity Stack is a shared services-based architecture for managing the complete lifecycle of an identity and its ongoing usage, including attributes, credentials, and entitlements; the real-time controls for access based on attributes, role, entitlement, and context; and the administration and reporting of those activities. The architecture has many shared services that span the three core products, making it easier to develop, implement, and manage your deployment. These services include a common RESTful API, registration, and standards- based services such as OAuth 2.0, among others, along with a common lightweight UI model to help integrate the internal Open Identity Stack components as well as external systems, and provide a unified experience for developers and administrators. OPEN IDENTITY STACK SHARED SERVICES ARCHITECTURE The Open Identity Stack is 100% open source and consists of the following solutions: OpenAM is an open source Authentication, Authorization, Federation, Web Services Security, Fine-Grained Entitlements, and Adaptive Authorization solution. It also includes application and web container policy enforcement agents. Packaged with OpenAM, OpenIG (Identity Gateway) is a high-performance gateway with specialized session management and credential replay functionality. OpenIDM is an open source User Administration and Provisioning solution. OpenIDM uses the Open Identity Connectors Framework and Toolkit (OpenICF) to aid development of resource connectors. OpenDJ is an open source LDAP directory service the first-ever DS server natively supporting REST API with a high-performance, highly available, secure directory server, built-in data replication, client tools, and a developer-friendly LDAP SDK. Access is provided via LDAP, Web Services, and REST API. Refer to Appendix for more details on the ForgeRock Open Identity Stack and how it stacks up against Oracle. 8 FORGEROCK.COM

5. Getting Started: Sun Upgrade Offering The ForgeRock Sun Upgrade offering has been designed to help organizations strategically plan for upgrading all or parts of their Sun IAM deployment. For many customers, this will be a very straightforward process, depending on the Sun products and versions deployed. The first step is the Sun Upgrade Assessment offering which is designed to help organizations map out their current IAM architecture and business processes. The assessment also includes an evaluation of technical and business needs against short and long-term strategies. The Assessment will produce a multi-point plan with recommendations that can be used for internal planning and budgeting. It is our goal at ForgeRock to help organizations with their decision-making process as they work through use-case scenarios for existing and future requirements. The ForgeRock Sun Upgrade offering is designed to help organizations strategically plan an upgrade of all or part of their Sun IAM deployment. With a variety of resources available to our customers to help with this process, ForgeRock will be your trusted partner in mapping your current IAM architecture and business processes, and in evaluating your current needs against your short and long term strategies. Let s get started. Contact us at http://forgerock.com/products/sun-replacement/ 9 FORGEROCK.COM

6. Appendix Product Comparison of ForgeRock Open Identity Stack to Oracle Fusion Products OpenAM Overview There are several key reasons OpenAM provides the best possible upgrade solution from Sun OpenSSO or Sun Access Manager. The OpenAM code source foundation comes from Sun and has continued to evolve and improve over time. ForgeRock has audited and cleaned the entire Sun code base; and since the initial release of OpenAM, more than a thousand bugs, security issues, and improvements have been implemented. The code source lineage is detailed in the following chart. OpenAM Code Source Lineage 2008 2009 2010 2011 2012 OpenAM 9.0 OpenAM 9.5 OpenAM 10.0 OpenAM 10.1 OpenSSO Build 6 OpenSSO Build 7 OpenSSO Build 8 ONE SINGLE PRODUCT FOR AAA+ FEDERATION OpenSSO Ent 8.0 U1 U1 P1 U1 P2 U1 P3 BROKEN INTO SEVERAL NON-COMPATIBLE PRODUCTS U2 Oracle Access Manager* Oracle Identity Federation* Oracle Entitlements Server* Oracle Adaptive AM* Oracle Fedlet* OPEN SOURCE CLOSED SOURCE * Must purchase all products above to replicate OpenAM functionality OpenAM Product Description OpenAM has a unique architecture to support use cases from complex enterprise access control, to multi-protocol federation, to SSO enablement for cloud systems. At the highest level, OpenAM consists of a single, self-contained Java application; service components such as session management; client-side APIs in C, Java, REST; service provider interfaces to enable custom plugins; and policy agents for web and app server containers to enforce access policies to protected web sites and web applications. Organizations with existing internal access management solutions can easily integrate OpenAM into their environment through API services. Maintaining all installation and configuration capabilities within one application vastly simplifies deployment. In addition, agent configuration, server configuration, and other tasks are simplified to be repeatable and scalable, so multiple instances of the solution can be deployed without additional effort. The embedded OpenDJ directory server eliminates the need to configure a separate directory to support the configuration and user stores; or if desired, users can utilize other LDAP directories such as Sun DSEE or databases as user stores instead. 10 FORGEROCK.COM

OpenAM Functional Diagram UI Layer Management End User Protected Resources Layer Web Agents JavaEE Agents WS Agents Access Layer Common REST OpenID Connect OAuth2 SAML WS Services Layer AuthN Federation Adaptive Risk AuthZ Session Management SSO Entitlements Password Management Logging Data Persistence Layer External Layer Authentication Systems User Directory Stores Reporting Tools SIEM, Analytics Tools OpenAM Advantages ForgeRock Legacy Vendors Cost-Effective Upgrade Path ForgeRock offers the most cost-effective path for existing Sun customers. Because it is based on the same code base, upgrading to OpenAM is just moving to the latest version of Sun OpenSSO. OpenAM is also designed as a single solution, meaning there are no additional license fees to get all the features one price gives you everything today and what s delivered in the future. Oracle recommends that you rip and replace Sun OpenSSO or Sun AM as the upgrade path to OAM. If you are an existing OAM customer then you probably already know the pain of moving from just OAM 10g to 11g. Unless there are significant business reasons to move to OAM, OpenAM is technically a better product, a more cost-effective solution, and an easier upgrade path. Comprehensive It is the only All-in-One Access Management solution that includes Authentication, SSO, Authorization, Federation, Entitlements, Adaptive Authentication, Strong Authentication, and Web Services Security in a single, unified product. Comparing OAM to OpenAM is not 1:1. OAM has 8+ individual products vs. 1 integrated OpenAM solution. You end up paying more for an accidental architecture through added deployment complexity and a steep learning curve. 11 FORGEROCK.COM

Developer-Friendly Designed for the developer using a single, common programming interface (REST), or if preferred, Java and C. Our key objective is to make it easier, faster, and less complex to implement IT and business requirements. Oracle products were designed to support Fusion App platform products first, your application environment second. Providing simple API access to developers to enable easy integration is not part of their DNA. Performance, Scalability, High Availability Supports large-scale implementations with thousands of logins and registrations per second. Requires fewer machines at scale, decreasing footprint. Load balancing and high availability with session failover across sites support complex, multi-site environments. Oracle designed OAM for the enterprise and Oracle Fusion apps, and now is saddled with an architecture that cannot effectively support large-scale deployments for ISPs, SaaS providers, and customer-facing services. Systems designed for a single purpose are not cost-effective or practical for alternative uses. Built-in Data Store OpenDJ comes embedded as a sessionpersistent store and a highly scalable and high-performance configuration store. There is no additional cost to use it straight out of the box with OpenAM. This saves you time and money with license and configuration issues. Or use your choice of datastore if desired. OAM does support almost any LDAP datastore but it s at your own cost. Separate install, config, license, and support contract. With a 100+ step checklist to install an OAM supported directory, it s anything but simple. OpenDJ is part of the OpenAM install process and is up and running in a few clicks. OpenIDM Overview To understand why we designed OpenIDM the way we did, it s important to know a bit about the history of user provisioning. Legacy user provisioning products were designed 10-15 years ago when IT used a three-tier web architecture for application development and attempted to consolidate all identities into a centralized directory service. These first-generation provisioning systems helped automate the administration of users to reduce cost and resource overhead. By building a system that connected to the mainframe, HR system, and email systems, departments and lines of business could manage their own policies for granting system access. Fast-forward to today, and the entire IT landscape has radically changed. It s now more complex than ever due to the explosion of devices, users, roles, and regulations, among many other requirements. While the original provisioning systems worked as point solutions, they had limited ability to fully integrate into the enterprise, limited flexibility to adapt to new business requirements, and were inherently complex to implement. For these reasons, OpenIDM was developed as a clean sheet design using a modern, lightweight, modular architecture that supports business use cases for identity administration and provisioning not only within the enterprise, but for cloud-based services delivered to the user across a wide variety of devices including mobile and desktop. Moving to OpenIDM from Sun Identity Manager provides a lightweight, developer-friendly solution. It will provide a flexible system that is easy to adapt to many different use cases that the business requires, not just today, but in 3 to 5 years, as the IT landscape continues to evolve. 12 FORGEROCK.COM

OpenIDM Product Overview OpenIDM is a User Administration and Provisioning solution purpose-built to manage user access and accounts across enterprise, cloud, social, and mobile environments. OpenIDM is 100% open source, offering a very different approach to application development, with a more reasonable cost model and improved flexibility to support the innovation required to stay competitive. Because the Java-based architecture is built on the OSGi framework, OpenIDM is able to provide lightweight, modular services such as automated workflow, user self-service, registration, password sync, data reconciliation, and audit logging, all accessible through the RESTful API using standard Java development tools. The OSGi framework enables modular, plug-and-play identity services if you want to use an alternative component, such as a workflow engine, with OpenIDM you can easily do so. In addition, OpenIDM leverages OpenICF (Open Source Identity Connector Framework) to vastly simplify resource connector development and sharing through the open source community. With complete flexibility in data and object schema, the OpenIDM architecture enables support for traditional on-premise applications as well as cloud service providers such as Workday, Google Apps, and Salesforce.com. Using SCIM (System for Cross- Domain Identity Management), open standards, and the REST API, OpenIDM is easy to configure straight out of the box, enabling user- provisioning and administration services for cloud providers without complex customization. This simplifies account creation, updates, deletions, and auditing without the cost and overhead of deploying multiple systems. OpenIDM Functional Diagram UI Layer ForgeRock UI Framework Access Layer Common REST Business Logic Layer JavaScript Groovy Java Services Layer Provisioning Services Password Management Report & Audit Service Directory Service OpenIDM Repository Task Scanner Workflow Engine Policy Service External Resources Layer 13 FORGEROCK.COM

OpenIDM Advantages ForgeRock Sun Identity manager Internet Scale Architecture With a next-gen architecture, OpenIDM is unique in its support for large-scale, hightransaction rate operations for customerfacing systems that deliver user self-service, password management, and account creation. With a high-speed reconciliation and sync engine, data is managed efficiently between multiple backend datastores to ensure data is clean and consistent. Sun Identity Manager was purpose-built for enterprise provisioning between HR, AD, and other backoffice systems. Because of the complex configuration, usually no more than 25 systems were connected. The Service Provider edition was an attempt to provide the scale needed for new externally facing applications. Open Standardsbased Connector Framework OpenIDM provides standard, out-of-the-box ICF connectors (based on OpenICF [Open Source Identity Connector Framework]) to the most widely used backend systems. Connector code is open, reusable, and can be shared through the OpenICF community. The original Sun Identity Manager connector code was proprietary and as such is not reusable when migrating. Oracle recognized this and moved new connector tools to support the OpenICF framework, which will help simplify some of the migration to OpenIDM. Developer-Friendly Simple RESTful interfaces provide APIs for managing all core operations of user administration, sync, and reconciliation. A server-side scripting engine is provided with JavaScript and Groovy supported out of the box. Sun Identity Manager provided limited API access for developers and the XPRESS scripting language was proprietary. XPRESS correlation rules can be migrated from XPRESS to JavaScript. Embeddable for SaaS/ Custom App OpenIDM has a modular architecture with a small footprint, and it s open source and developer-friendly. This makes OpenIDM an ideal solution to embed in a SaaS, IaaS, PaaS, or hosted service provider offering. Sun Identity Manager was purpose-built for enterprise workflow processes only. Any SaaS or service provider system requiring a lightweight, embeddable, developer-friendly solution will have to use another option such as OpenIDM. Independent UI Framework OpenIDM is the first provisioning solution designed with a UI that is decoupled from the core services. Through support of jquery and REST APIs, it allows complete customization of the presentation layer. Sun Identity Manager does not offer developer access to the admin UI. This is a traditional software app that has an admin console UI or CLI that can be used for managing configuration. Forms are used for the end user UI and can be modified as needed. 14 FORGEROCK.COM

Industry Standard Workflow Modeling OpenIDM supports a plug-and-play design that allows choice of either the embedded Activiti engine or another of the customer s choice. Activiti supports industry-standard BPMN 2.0 process definition models, which can not only exchange between different graphical editors, but can also execute as is on any BPMN 2.0-compliant engine. Sun Identity Manager has a flexible yet proprietary workflow design that was custombuilt and therefore cannot be changed. OpenIDM exposes the same capability but instead of using a proprietary workflow definition language, we leverage the industry standard BPMN 2.0 to specify workflows. ForgeRock is able to help customers migrate the proprietary notation to industry standard BMPN 2.0 notation. Flexible Data Model The object model is designed to support whatever the organization requires. The options are to configure OpenIDM to create a virtual identity with links to external systems (data sparse model), or to create a metadirectory that centrally stores a copy of identity attributes (data full model). Sun Identity Manager uses a data sparse data model, which is good if the organization doesn t have a lot of data to manage, sync, or reconcile between backend systems. OpenIDM provides the advantage of either data model, which is critical to the current needs of many businesses. OpenDJ Overview OpenDJ, initiated as the Sun Microsystems OpenDS project, was designed as a replacement for Sun Directory Server Enterprise Edition, and therefore provides the easiest migration path. ForgeRock is changing the decades old approach to LDAP directory services by simplifying the way developers gain access to the underlying directory service. OpenDJ is the first commercial open source solution that provides both an LDAP and REST-compliant directory service. With a design specifically developed for the Java platform, it can provide high-throughput performance for both reads and writes, configurable with replication for highlyavailable service, and secure protection of data with multiple levels of authentication and authorization. OpenDJ is also the easiest directory to deploy and manage for many different use cases whether it is for a large- scale cloud service directory, a consumerfacing directory, or an enterprise or network operating system (NOS) directory. With its 100% Java code base, OpenDJ runs on many platforms, including virtualized environments. All software and data are architecture-independent, so migration to a different OS or a different server is as simple as copying an instance to the new server. This increases the deployment flexibility, as well as the portability between different operating systems and system architectures. 15 FORGEROCK.COM

OpenDJ Functional Diagram UI Layer Management End User Access Layer Common REST LDAP SDK LDAPv3 Services Layer REST2LDAP Access Control Password Policy Groups Schema Management Caching LDAPv3 Replication Monitoring Auditing External Layer Active Directory Samba User Directory Stores Reporting Tools SIEM, Analytics Tools OpenDJ Advantages ForgeRock Oracle Internet Scale Architecture OpenDJ provides industry-leading performance with sub-millisecond read/write response times and low latency throughput, up to hundreds of thousands of operations per second. HA deployments supported with N-way multi-master replication, including data centers with geographic separation for managing failover and disaster recovery. Meets the most rigorous SLA requirements, from telco subscriber systems to missioncritical enterprise environments. Oracle has 3 different directory products to choose from. The Sun OpenDS code base provides the foundation for both Oracle Unified Directory and OpenDJ which means all the advantages of the Oracle product can be found in OpenDJ as well Internet scalability, HA, and support for use cases for the enterprise and cloud except OpenDJ is 100% open source with an actively and rapidly contributing community and the flexibility to customize code. Developer-Friendly OpenDJ is the first LDAP directory to support a range of developer options including a REST API, SCIM, LDAP, and DSML-based Web Services. And for the traditionalists, the OpenDJ SDK provides a library of Java classes and interfaces for accessing and implementing LDAP directory services. Oracle only provides access through traditional APIs like DSML and the Identity Governance Framework (IGF) ArisID Java Interfaces. 16 FORGEROCK.COM

Pass-Through Authentication OpenDJ enables simple to configure delegated authentication to another LDAP directory service, such as Active Directory, without the need to install other components or products. Delegated authentication removes security risks associated with synchronizing passwords (e.g. transfer of cleartext passwords). Oracle requires installation of other Oracle products such as the Directory Integration Platform for synchronization between other directory services, adding complexity and cost to every deployment. OpenDJ provides this feature standard out of the box as it is one of the baseline use cases for almost every enterprise. About ForgeRock ForgeRock is redefining identity and access management for the modern web including public cloud, private cloud, hybrid cloud, and enterprise and mobile environments, ForgeRock products support mission-critical operations with a fully open source platform. ForgeRock s Open Identity Stack powers solutions for many of the world s largest companies and government organizations. For more information and free downloads, visit www.forgerock.com or follow ForgeRock on Twitter at www.twitter.com/forgerock. 17 ForgeRock is the trademark of ForgeRock Inc. or its subsidiaries in the U.S. and in other countries. FORGEROCK.COM