ForgeRock Identity Cloud: Adding new users to an identity system

Setup
, , , , , , ,
#1

Overview

Adding users to an identity system such as ForgeRock Identity Cloud enables centralized user management while offering improved security, access control, streamlined provisioning and de-provisioning, and auditability. This helps organizations enhance their overall security posture, mitigate risks, and easily manage user accounts and access rights.

ForgeRock Identity Cloud offers several capabilities for adding new users. These include:

Self-service registration

What is it?

With self-service registration, end users can quickly and easily create their own accounts. This simplifies the onboarding process by giving users the control to complete the registration independently without needing input from system administrators.

An effective self-service registration system provides flexibility and choice around authentication methods, information gathered, and the level of identity assurance needed.

How is it achieved in Identity Cloud?

Intelligent Access Journeys provide building blocks for creating context-driven self-service registration flows that can adapt based on many factors including device type, time of day, user choice and location.

To get you started, Identity Cloud comes with a default registration journey.

io_registration_journey
io_registration_journey2048×1063 137 KB

With this simple registration journey, the user signs up by entering basic details, adding security questions in a knowledge-based authentication (KBA) step, and accepting the terms and conditions.

io_self_registration
io_self_registration2050×1066 173 KB

You can easily adapt this journey or create new registration journeys to meet the needs of your organization.

Some examples of how you might wish to extend a registration journey to build in more security include:

  • Adding a CAPTCHA node to protect against software bots. See CAPTCHA node
    for further information.

  • Adding multi-factor (MFA) authentication nodes to require users to respond to out-of-band MFA challenges before they can reset passwords. See Multi-factor authentication nodes for further information.

  • Integrating third-party services into your journey, for example with identity proofing or behavioral biometrics. See Extend journeys with ForgeRock Marketplace nodes for further information.

  • Incorporating device information into the decisioning, for example, requiring workforce users to access an assigned managed device and browser in order to register. See Contextual nodes for further information.

For further information on achieving self-service registration with Identity Cloud, see:

Business benefits

CIAM: By implementing a straightforward self-service registration solution in Identity Cloud, you can expand your customer base significantly. This approach boosts customer acquisition rates and facilitates context-driven journeys, ultimately enhancing the overall user experience.

Workforce: Self-service empowers workforce users by giving them more control and choice and reducing their dependency on central IT teams.

Administrative onboarding

What is it?

With administrative onboarding, you can import users from an identity “source of truth” such as an HR system, LDAP directory or database, into your identity system.

How is it achieved in Identity Cloud?

ForgeRock offers various features and capabilities to achieve administrative onboarding. These include bulk upload via a CVS file, a connector-driven migration, and an event-driven approach.

For further information on achieving administrative onboarding with Identity Cloud, see:

Business benefits

CIAM: Identity Cloud lets you seamlessly import your customers from an existing system into a new one without introducing any friction in the user journey. This could be a one-time bulk upload, or Just in Time (JIT) (discussed below).

Workforce: Identity Cloud lets you programmatically integrate with an identity source of truth to ensure both identity repositories are in sync in real-time to allow for seamless user onboarding and birthright application access.

Pass-through authentication

What is it?

With pass-through authentication, you can authenticate users in any type of external repository without having to move them to the identity system. This is useful if you want to migrate passwords to an identity system as part of authentication (just-in-time synchronization) or retain a remote service for authentication.

A common example is Active Directory (AD), where either the password attribute is not returned or is in an unsupported format.

How is it achieved in Identity Cloud?

Pass-through authentication in Identity Cloud utilizes the Remote Connector Server (RCS) and connectors, along with Intelligent Access Journeys. This allows you to securely verify a user password against a remote datastore during the login process.

io_passthrough

With the RCS, ForgeRock can connect to ANY user repository, and access the data to create the user in the new repository.

Identity Cloud includes a Passthrough Authentication node that you can add to your Intelligent Access Journeys. This node uses a connector to validate credentials against the remote AD service. The remote system verifies the user’s password even if Identity Cloud doesn’t support the hash algorithm.

The following example shows a login flow that tries pass-through authentication when local authentication fails and stores the user password when authentication with the third-party service succeeds.

io_passthrough_journey

For further information on achieving pass-through authentication with Identity Cloud, see:

Business benefits

ForgeRock is the only solution that can access Active Directory (AD) without an agent.

A pass-through method can be used when migrating batches of users from the source solution in a staggered way. If the user has already been migrated their credentials are checked locally. If no local record is found, then the system validates against the remote data source. This approach can help you migrate user data gradually whilst ensuring seamless authentication for users.

Just In Time (JIT) migration

What is it?

With JIT migration, existing users are moved from one identity repository to the identity management solution only as the user logs on, without requiring a password change.

This type of migration is seamless to the end user and allows organizations to only move users that are still active in the system.

How is it achieved in Identity Cloud?

Intelligent Access Journeys provide the flexibility to determine if the user exists in the ForgeRock repository or not. If not, the journey can access the remote repository and upon successful authentication can create the user.

The Remote Connector Server (RCS) allows Identity Cloud to connect to ANY user repository, and access the data to create the user in the new repository.

For further information on achieving JIT migration with Identity Cloud, see:

Business benefits

With JIT in Identity Cloud, ForgeRock offers faster time to value by not having a large user migration project and only migrating users to the new repository as they interact with the system. This will reduce licensing costs for customers so they won’t have to pay for non-active users.

JIT delivers a seamless migration experience that is invisible to the end user and does not involve any interaction on their part, such as a password change.

Progressive profiling

What is it?

With progressive profiling, you can gather additional information on end users over time or based on a specific event. This allows a simple initial account creation process while gathering more data for personalized service as the relationship with the user relationship grows.

How is it achieved in Identity Cloud?

Intelligent Access Journeys can include a progressive profiling step by simply nesting a progressive profile journey directly into a registration or login flow. This is achieved by adding an Inner Tree Evaluation node to the registration or login journey.

Identity Cloud comes with a default progressive profile journey to get you started.

io_progprofile_journey
io_progprofile_journey977×364 40.1 KB

With this journey, if the user logs in three times without choosing any marketing preferences, they are prompted to specify their preferences. If the user does not make a selection, the prompt will expire and will not appear again. Chosen preferences will be saved in their profile.

You can easily adapt this journey or create new progressive profile journeys to meet the needs of your organization. Journeys provide the ultimate flexibility in what types of event can trigger progressive profiling. For example, this might include device type, number of logins, time duration (days, weeks), and type of resource being accessed.

For further information on achieving progressive profiling with Identity Cloud, see:

Business benefits

With progressive profiling, you can increase knowledge about a customer over time to deliver a more personalized experience, without lower initial customer acquisition rates.