Overview

Centrally managing all identity data is the practice of consolidating and controlling the information related to user identities, their attributes, roles, permissions, and access rights within a single, unified platform.

For customer (CIAM) use cases, having user data and security policies in one system mitigates identity silos and provides a single view of customer data. For workforce use cases, centrally managing all identity data consolidates identity silos for centralized security policy enforcement and a reduced attack plane.

ForgeRock Identity Cloud offers several capabilities for centrally managing identity data. These include:

• Identity provisioning and synchronization
• Assigning users to roles
• Joiner, mover, leaver
• Password reset
• MFA reset

Identity provisioning and synchronization

What is it?

With identity provisioning, you can create, modify or delete user accounts in a target system such as a remote application or directory resource. Accounts are created with specific access rights or assigned specific roles in each target system.

Synchronization keeps all user data aligned across all repositories. For example, if a user changes their personal information in one application, that change should be populated across applications. This is an important function for being able to leverage a single repository to manage all your end users.

How is it achieved in Identity Cloud?

The provisioning and synchronization of identity data between resources is a core service of Identity Cloud. You can provision and de-provision identities and entitlements, such as groups, roles, or other assignments of privileges in a connected system, through identity connectors and a synchronization engine.

Identities in Identity Cloud can be provisioned from an external source of truth, such as Active Directory or a common business application like Workday and Salesforce. Alternatively, Identity Cloud can act as a source of truth and provision users to connected systems. Synchronization can occur in either direction or in both directions.

With Identity Cloud, you can configure fine-grained provisioning, de-provisioning, and profile data synchronization behavior, therefore fully or partially automating the onboarding, updating, and removal of user accounts. Built-in connectors allow you to easily connect to data stores in other services. Other connectors are also available to set up and run remotely using a remote connector server (RCS).

To make application onboarding and provisioning easier, ForgeRock provides configuration templates for common business applications. You can register and provision these applications quickly and easily by choosing a template from the Applications page of the Identity Cloud admin UI (Applications > Browse App Catalog).

For bulk importing of identities from an external system, you can use a CSV file import. This is useful when you want to add a large number of identities to roles and assignments in a single operation. For further information, see Bulk import identities.

For further information on achieving identity provisioning and synchronization in Identity Cloud, see:

• Connectors
• Sync identities
• Bulk import identities
• Synchronization
• Provision an application

Training videos:

• Connect to External Resources
• Synchronization
• Managing Connectors
• Managing Synchronization and Reconciliation
• Demo: Add Connector Configuration for External LDAP Resource

Related use cases:

• Use case: Connect ForgeRock Identity Cloud with an LDAP user store
• Use case: Map attributes from an external user store to ForgeRock Identity Cloud

Business benefits

As a single platform, Identity Cloud can handle provisioning and synchronization at an enterprise scale. Providing a unified platform simplifies administration and reduces the potential of identity blind spots in the system due to the lack of integration of separate components. This 360-degree view of identity gives organizations a complete understanding of the provisioned access and actual usage of applications.

Centralized identity provisioning and synchronization are critical to ensure that identity information is clean, consistent, and accurate throughout the connected resources. This centralization simplifies identity management and makes it easier to enforce consistent security policies.

Assigning users to a roles

What is it?

By assigning users to roles, an administrator can define what application access a user belonging to a particular role should have. A role is usually based on tasks the person will need to perform and contains permissions to all the applications and resources they will need to complete their tasks.

How is it achieved in Identity Cloud?

In Identity Cloud, roles are used to define user privileges. All role members receive the same permissions that are defined for the role. When you change the privileges for that role, you change the permissions for all role members. A user can belong to many roles.

You can easily create and manage roles in the Identities page of the Identity Cloud admin UI (Identities > Realm - Roles):

Assignments are used to give a user permission to access a resource they need to do a job. The assignment must be linked to a role. You create and manage assignments in the Identities page of the Identity Cloud admin UI (Identities > Realm - Assignments):

Identity Cloud’s synchronization engine can automatically provision roles and assignments. Assignments are mapped to an attribute stored in an external system. For example, this might be an intranet reporting app with its own database of user accounts:

With Identity Cloud’s application management, you can assign roles to onboarded applications. This makes it easier to set up access for groups of end users to external applications.

You assign roles to onboarded applications in the Applications page (Applications > application > Roles and Users).

For further information on assigning users to roles in Identity Cloud, see:

• Roles and assignments
• Roles
• Manage users and roles (application management)
• Provisioning Roles and Assignments (training video)

Use cases:

• Use case: Manage a role-based access control (RBAC) framework for ForgeRock Identity Cloud
• Use case: Map existing AD groups to roles in ForgeRock Identity Cloud

Business benefits

As a single platform, Identity Cloud can handle role management at an enterprise scale. Providing a unified platform simplifies administration and reduces the potential of identity blind spots in the system due to the lack of integration of separate components. This 360-degree view of identity gives organizations a complete understanding of the provisioned access and actual usage of applications.

Role-based access control (RBAC) ensures that users have the appropriate level of access to resources, data, and functionalities based on their roles and responsibilities within an organization. This helps prevent unauthorized access and reduces the risk of data breaches or security breaches.

Joiner, leaver, mover (JML)

What is it?

Joiner, leaver, mover (JML) is the ability to give, update or remove application access for users based on their status in the organization.

• Joiner provides access to all the resources the user needs to accomplish their tasks when they first join an organization.
• Mover provides access to the new resources the user needs to accomplish their tasks while removing access to the applications they no longer need to access based on the new task definition.
• Leaver quickly removes access to all applications the user was allowed to use when the user leaves an organization.

How is it achieved in Identity Cloud?

Identity Cloud includes the following JML capabilities:

• Event hooks
• Administrator federation

Event hooks

With event hooks, you can trigger a script based on a condition during the lifecycle of an identity object such as a user joining, moving or leaving an organization. This allows you to implement business logic based on events that occur on a user.

Scripts triggered by events can occur when a user is created, updated, retrieved, deleted, validated, or stored in the repository. A script may also be triggered when a change to an identity object triggers an implicit synchronization operation.

Identity Cloud provides a simple UI for creating and managing event hooks.

Examples of event hooks during the lifecycle of a user include OnCreate (for example, a joiner), OnUpdate (for example, a mover), and OnDelete (for example, a leaver).

For further information on event hooks in Identity Cloud, see:

• Event Hooks
• Scripting tips
• Identity Cloud identity schema

Administrator federation

With administrator federation, Identity Cloud administrators can use single sign-on (SSO) to log in to an Identity Cloud tenant. By using federation to authenticate your administrators to Identity Cloud, you can quickly and easily de-provision users by removing their access from your centralized identity provider, such as Microsoft Azure or Active Directory Federation Services (ADFS).

Identity Cloud provides a simple UI for administrator federation, for easily setting up your federation provider and enabling the provider in Identity Cloud (Tenant Settings > Federation > Identity Provider).

A groups feature allows you to add and remove administrators depending on group membership in your identity provider. This enables you to automate the granting and removing of access for groups of administrators who are being on-boarded, switching roles, or leaving your organization.

For further information on administrator federation in Identity Cloud, see:

• Administrator federation
• Enable federation for your tenant

Business benefits

JML capabilities of Identity Cloud allow organizations to quickly identify new joiners, movers, or leavers from authoritative sources, such as connected human resources systems, determine user access privileges, and automate the de-provisioning of users. Automating the JML process can streamline administrative tasks, enhance security, and improve efficiency.

By using federation to authenticate administrators to Identity Cloud, organizations can quickly and easily de-provision administrators by removing access from a centralized identity provider. This has business benefits, including enhanced security, improved efficiency, and compliance adherence.

Password reset

What is it?

With password reset, system administrators or other IT staff can reset passwords on behalf of end users or prompt users to reset their own passwords.

The ability for an administrator to reset a password on behalf of an end user is usually done through an automated flow where a random password is generated for the user and then sent to them for them to reset on their next login attempt.

How is it achieved in Identity Cloud?

With Intelligent Access journeys, a reset password flow can prompt users to reset their own passwords in certain situations, for example, when the user has forgotten their password, when the user first logs in, or (in conjunction with a password policy) after a specified number of days.

A sample Reset Password journey is provided with Identity Cloud. This journey requests a user’s email address, checks if a user with that email exists, and if so, emails a reset link to the user. The journey then waits until the user clicks the link before presenting a password reset prompt.

An example of an Intelligent Access journey that forces users to change their password the first time they log in is shown below.

In this journey, the Login Count Decision node interval is set to 1.

When a user logs in for the first time they are presented with a reset password screen, similar to this:

Enforcing password change at x number of days is part of the Identity Cloud password policy. When enabled, the policy forcibly expires each end user password after the specified number of days, months, or years have elapsed from when the password was set.

You can combine a password policy and the Identity Store Decision node in a journey to expire end user passwords in a journey. The Force password change policy setting lets you define an expiry time interval, which is measured for each end user from when their password was last set.

For further on the administration of password resets for end users, see:

• Journeys
• Reset Password
• Update Password
• Manage identities
• Password policy
• Password Policies (training video)

Business benefits

An automated password reset process ensures that end users who have forgotten their passwords can quickly regain access to their accounts without unnecessary delays or frustrations. This enhances user satisfaction and reduces the likelihood of support requests related to password issues.

In the event of a data breach or security incident, administrators can proactively reset passwords for affected accounts to prevent further unauthorized access.

MFA reset

What is it?

With MFA reset, an administrator can update, remove or assign an additional authentication factor for an end user. This could, for example, be due to a lost device, or an upgraded device.

How is it achieved in Identity Cloud?

Identity Cloud administrators can reset MFA for users who lose a registered mobile device and do not have a valid recovery code. This is achieved through the REST API which enables the administrator to reset a device profile by deleting information about a user’s registered device.

Administrators can:

• Provide authenticated users with a self-service page that calls the REST API to reset their devices.
• Call the REST API themselves to reset a user’s device profiles.
• Call the REST API themselves to reset a device that is out of sync, where the HOTP counter exceeds the HOTP threshold window and requires a reset.

For further information, see Reset registered devices using REST

Business benefits

Enabling administrators to reset MFA on behalf of users ensures that end users who have lost a device can quickly regain access to their accounts without unnecessary delays or frustrations. This enhances user satisfaction and reduces the likelihood of support requests related to password issues.