Providing easy application access to known users means that users who are already identified and recognized as authorized can quickly access specific applications or services.
ForgeRock Identity Cloud delivers a low-friction user experience for accessing applications. For Customer Identity Access Management (CIAM) use cases, customers can easily access all applications and services they are registered for. For workforce use cases, employees can quickly access all the applications they are entitled to use.
Identity Cloud offers several capabilities for providing easy application access. These include:
- Standards-based application integration
- Non-standard application integration
- Step up authorization
- Fine-grained authorization
- Continuous authorization and authentication
With standards-based application integration, you can provide access to applications that use open standards such as OpenID Connect (OIDC), OAuth 2.0 and Security Assertion Markup Language (SAML 2.0), enabling quick integration of single sign-on (SSO). These standards use industry-standard protocols to ensure confidentiality and integrity of communication between parties.
Identity Cloud’s authorization and federation services support all major identity standards including OAuth 2.0, OIDC, SAML 2.0 and CIBA (Client Initiated Backchannel Authentication), as well as providing synchronization and storage.
For a list of standards supported by Identity Cloud see: What open standards does ForgeRock support?
ForgeRock’s philosophy is to support all the latest standards and extended capabilities of standards to allow our customers to quickly enable all applications with the highest security. A recent example of this is the adoption of the OpenID Foundation’s FAPI (Financial-Grade API) standard.
For further information on achieving standards-based application integration with Identity Cloud, see:
Using open standards to enable SSO and federation allows users to authenticate once and access multiple applications without the need for repeated logins, therefore improving the user experience, reducing password fatigue, and increasing productivity.
Integrating applications with Identity Cloud using open standards such as SAML 2.0 or OIDC reduces the need for custom authentication solutions for each application, therefore saving your organization time and money.
SAML 2.0 and OIDC support secure authentication mechanisms including token-based authentication and encryption. This means you can enforce stronger security measures and reduce the risk of unauthorized access-related attacks and the associated financial and reputational costs.
With non-standard application integration, you can provide access to applications that do not support OIDC, OAuth 2.0 or SAML 2.0. These are often legacy (mainframe) or proprietary systems that many larger organizations run their business on and cannot easily migrate from.
For integration with applications that are not standards-based, Identity Cloud can be supplemented with ForgeRock Identity Gateway.
Identity Gateway enables integration of web applications and APIs with Identity Cloud, for SSO and API Security, as illustrated below:
Identity Gateway can be configured to protect any web application running on any other technology. It can add throttling, SSO, OAuth 2.0, OIDC, SAML 2.0 SP, and more capabilities to protected applications and a number of different caching mechanisms that greatly enhance performance.
For further information on achieving non-standard application integration with Identity Cloud, see:
- About Identity Gateway and the ForgeRock Identity Cloud
- Protecting an application with ForgeRock Identity Gateway
With ForgeRock Identity Gateway, organizations can enable SSO across various applications and systems including legacy systems. This eliminates the need for multiple login credentials and reduces password fatigue.
ForgeRock Identity Gateway enables seamless connectivity between different applications and systems. It supports various protocols and standards, such as OAuth 2.0, OIDC, SAML 2.0, and LDAP, making it easier to integrate with existing IT infrastructure and third-party solutions.
By providing a centralized access control point, Identity Gateway allows organizations to enforce strong authentication and authorization policies. It helps protect sensitive data and ensures that only authorized users and devices can access protected resources.
With step up authorization, you can ask for a stronger authentication factor based on the risk associated with accessing a high-value resource such as an intellectual property repository. This is often part of a Zero Trust security architecture.
Identity Cloud includes a policy engine that sets the authentication level requirements based on assets or groups or many other static object attributes.
Authorization policies determine whether to grant a subject access to a resource. Policies define the resource to which access is restricted, such as a web page, the verbs that describe what users can do to the resource, such as read a web page or submit a web form, who the policy applies to, and the circumstances under which the policy applies.
This demo video shows how you can use ForgeRock’s authorization policies, Identity Gateway routing and Intelligent Access journeys to achieve step up authentication to request a higher level of authentication to access more secure areas of a website.
For further information on achieving step-up authorization with Identity Cloud, see:
- Grant access through policies
- Step up authorization for a transaction
- Does the ForgeRock CIAM solution provide Zero Trust Security and a CARTA model of risk?
Step up authorization adds an extra level of security by introducing additional authentication factors or challenges when accessing sensitive information or performing high-risk transactions. It helps protect against unauthorized access, identity theft and fraud attempts.
With step up authorization, you can assess the risk associated with an action and adjust the authentication requirements accordingly. This allows you to apply stronger authentication measures when the risk level is higher, reducing the likelihood of fraudulent activities.
With fine-grained authorization, also known as granular or attribute-based authorization, you can adjust the authorization level or prompt for additional authentication based on the contextual information of the user prior to accessing a secured resource. Depending on the contextual information, responses could be more subtle such as lower authorization, data redaction or data throttling.
Identity Cloud supports authorization policies from simple, coarse-grained rules to highly advanced, fine-grained entitlements. A policy engine allows you to easily create custom resource types to map to resources you need to protect. You can associate any action with any resource and easily map the action to the appropriate users with your environmental and contextual conditions and create a simple object-based protection system.
Authorization policies can be enforced via our powerful REST API or the Identity Gateway to allow for rapid integration with no changes to the underlying system.
For further information on achieving fine-grained authorization with Identity Cloud, see:
- OAuth 2.0 scopes
- Grant access through policies
- Does the ForgeRock solution support distributed scope design with least privileged access?
Fine-grained authorization ensures that customers and employees only have access to the specific resources and actions they need. Security is increased by reducing the risk of unauthorized access to sensitive data or critical functions and data leaks.
For workforce use cases, organizations can adhere to the principle of least privilege, which states that users should only be granted the minimum privileges necessary to perform their tasks.
Many industries are subject to regulatory requirements (such as GDPR and HIPAA) that mandate strict data access controls and privacy measures. Fine-grained authorization addresses compliance with these regulations by enforcing precise access restrictions and demonstrating a clear audit trail of access activities.
Fine-grained authorization may also help to deliver personalized experiences to customers based on their attributes or preferences. This personalization can lead to higher user satisfaction and engagement.
With continuous authorization, the user’s contextual risk score is assessed throughout the course of an authenticated session and the authorization levels are adjusted or challenged for additional authentication based on that.
Unlike traditional authentication and authorization that occurs only at initial login, continuous authorization considers other factors like device posture, location change and other user behavioral data.
Continuous authorization is implemented through Intelligent Access journeys and, in certain cases, associated client-side scripting or SDKs, and authorization policies.
Intelligent Access journeys can collect context at every step of the authentication flow. This context is stored throughout the user’s session and can be re-evaluated prior to any authorization event to determine whether additional restrictions or further authentication should take place prior to accessing the resource.
Signals such as context (for example, IP address, operating system, browser, device, time of day), behavior (for example, ‘does the user log in at a particular hour’, or ‘is the location familiar’), and risk-based factors (such as ‘is the user accessing sensitive data’) can be considered. If an environmental or context attribute changes (for example, the user’s IP address), reauthentication or a stronger credential can be requested.
The following example journey shows how different authentication methods can be used depending on the user’s device (known or unknown) and other contextual analysis:
For further information on this journey, see Identity Cloud Deep Dive: Context-Based Risk Analysis (video).
Further, AI-driven user behavior and threat detection clues can be analyzed through the introduction of Autonomous Access into the authentication journey. With the addition of this capability, authentication obstacles are removed to give a degree of certainty that the user is who they claim to be and that the session hasn’t been compromised since its creation.
The following example journey shows how autonomous access nodes can be added to a journey to determine risk and add another layer of authentication if the risk is determined high.
For further information on achieving continuous authorization and authentication with Identity Cloud, see:
- Continuous and Contextual Authorization
- Does the ForgeRock solution support contextual access?
- Does the ForgeRock CIAM solution provide Zero Trust Security and a CARTA model of risk?
- Introduction to authentication
- Session upgrade with MFA
- Continuous Contextual Authorization (training video)
- Demo: Step-Up Authentication Flow (training video)
- Autonomous Access
- Use case: Configure risk-based authentication in ForgeRock Identity Cloud
By analyzing multiple factors and patterns, continuous, contextual authentication helps organizations identify potential security threats and reduces the risk of unauthorized access to services and applications.
Using Intelligent Access Journeys and a variety of authorization policy enforcement options, organizations can make continuous security decisions and support Zero Trust and Gartner’s Continuous Adaptive Risk & Trust Assessment (CARTA).
For organizations that handle customer data, implementing continuous authentication can enhance trust and confidence by demonstrating a commitment to protecting their sensitive information, fostering customer loyalty, and improving the organization’s reputation.
With omnichannel, an authenticated session can seamlessly move from one digital channel to another, for example from a desktop browser to a chatbot or from a mobile app to a browser, without having to log in again.
Identity Cloud provides a range of capabilities to allow a frictionless experience when traversing various channels during the same session, to create a true omnichannel experience. These channels may include web, mobile, chatbot and telephony.
Intelligent Access journeys can be configured to shift from one authentication method and channel to the next during an authentication session. By storing all the authentication and contextual information in the session, a user can move, for example, from web to chatbot, to telephony without having to re-authenticate.
The session state can be implemented so that channels can share the session’s authenticated credentials as decided by the Policy Decision Point (PDP). Depending on what strength of credentials is required, policies associated with a specific channel can request a stronger level of authentication before access is granted. For channels that don’t support standard protocols such as OpenID Connect or SAML 2.0 (for example, some IVR systems) ForgeRock Identity Gateway can be used to mediate between the channel and Identity Cloud.
With ForgeRock’s REST API layer, multiple channels can authenticate with ForgeRock’s authentication mechanisms, providing a unified way for applications and systems to plug in authentication using API invocation through REST.
For further information on achieving omnichannel application access with Identity Cloud, see:
For CIAM use cases, an effective omnichannel strategy is key to providing a consistent experience that removes friction and creates an enjoyable customer journey
In retail, for example, it enables a seamless shopping experience, so that a customer browsing a mobile app can then move to a desktop system and pick up right where they left off.