Overview

Providing user information to applications is an important capability of workforce Identity and Access Management (IAM) systems. This includes the ability to assign and revoke access to applications as the user moves through the joiner, mover, leaver (JML) process.

ForgeRock Identity Cloud offers several capabilities for providing user information to applications. These include:

• Identity provisioning and synchronization
• Joiner, leaver, mover (JML) capabilities

Identity provisioning and synchronization

What is it?

With identity provisioning, you can create, modify or delete user accounts in a target system such as a remote application or directory resource. Accounts are created with specific access rights or assigned specific roles in each target system.

Synchronization keeps all user data aligned across all repositories. For example, if a user changes their personal information in one application, that change should be populated across applications.

How is it achieved in Identity Cloud?

The provisioning and synchronization of identity data between resources is a core service of Identity Cloud. You can provision and de-provision identities and entitlements, such as groups, roles, or other assignments of privileges in a connected system, through identity connectors and a synchronization engine.

Identities in Identity Cloud can be provisioned from an external source of truth, such as Active Directory or a common business application like Workday and Salesforce. Alternatively, Identity Cloud can act as a source of truth and provision users to connected systems. Synchronization can occur in either direction or in both directions.

With Identity Cloud, you can configure fine-grained provisioning, de-provisioning, and profile data synchronization behavior, fully or partially automating the onboarding, updating, and removal of user accounts. Built-in connectors allow you to easily connect to data stores in other services. Other connectors are also available to set up and run remotely using a remote connector server (RCS).

To make application onboarding and provisioning easier, ForgeRock provides configuration templates for common business applications. You can register and provision these applications quickly and easily by choosing a template from the Applications page of the Identity Cloud admin UI (Applications > Browse App Catalog).

uc_app_catalog1148×1486 187 KB

For further information on achieving identity provisioning and synchronization in Identity Cloud, see:

• Connectors
• Sync identities
• Bulk import identities
• Synchronization
• Provision an application

Training videos:

• Connect to External Resources
• Synchronization
• Managing Connectors
• Managing Synchronization and Reconciliation
• Demo: Add Connector Configuration for External LDAP Resource

Related use cases:

• Use case: Connect ForgeRock Identity Cloud with an LDAP user store
• Use case: Map attributes from an external user store to ForgeRock Identity Cloud

Business benefits

Identity provisioning and synchronization are critical to ensure user information is clean, consistent, and accurate throughout an organization’s connected applications.

Provisioning ensures that users are granted access to the resources they need and synchronization helps maintain consistent access across different systems. This simplifies identity management whilst reducing the risk of unauthorized access and data breaches.

Joiner, leaver, mover (JML)

What is it?

Joiner, leaver, mover (JML) is the ability to give, update or remove application access for users based on their status in the organization.

• Joiner provides access to all the resources the user needs to accomplish their tasks when they first join an organization.
• Mover provides access to the new resources the user needs to accomplish their tasks while removing access to the applications they no longer need to access based on the new task definition.
• Leaver quickly removes access to all applications the user was allowed to use when the user leaves an organization.

How is it achieved in Identity Cloud?

Identity Cloud includes the following JML capabilities:

• Event hooks
• Administrator federation

Event hooks

With event hooks, you can trigger a script based on a condition during the lifecycle of an identity object such as a user joining, moving or leaving an organization. This allows you to implement business logic based on events that occur on a user.

Scripts triggered by events can occur when a user is created, updated, retrieved, deleted, validated, or stored in the repository. A script may also be triggered when a change to an identity object triggers an implicit synchronization operation.

Identity Cloud provides a simple UI for creating and managing event hooks.

uc_new_event_hook2264×1344 167 KB

Examples of event hooks during the lifecycle of a user include OnCreate (for example, a joiner), OnUpdate (for example, a mover), and OnDelete (for example, a leaver).

For further information on event hooks in Identity Cloud, see:

• Event Hooks
• Scripting tips
• Identity Cloud identity schema

Administrator federation

With administrator federation, Identity Cloud administrators can use single sign-on (SSO) to log in to an Identity Cloud tenant. By using federation to authenticate your administrators to Identity Cloud, you can quickly and easily de-provision users by removing their access from your centralized identity provider, such as Microsoft Azure or Active Directory Federation Services (ADFS).

Identity Cloud provides a simple UI for administrator federation, for easily setting up your federation provider and enabling the provider in Identity Cloud (Tenant Settings > Federation > Identity Provider).

uc-federation-tenant-settings-federation746×217 23.5 KB

uc_admin_federation_azure1080×558 72.2 KB

A groups feature allows you to add and remove administrators depending on group membership in your identity provider. This enables you to automate the granting and removing of access for groups of administrators who are being on-boarded, switching roles, or leaving your organization.

uc_admin_federation_groups791×512 47.8 KB

For further information on administrator federation in Identity Cloud, see:

• Administrator federation
• Enable federation for your tenant

Business benefits

JML capabilities of Identity Cloud allow organizations to quickly identify new joiners, movers, or leavers from authoritative sources, such as connected human resources systems, determine user access privileges, and automate the de-provisioning of users. Automating the JML process can streamline administrative tasks, enhance security, and improve efficiency.

By using federation to authenticate administrators to Identity Cloud, organizations can quickly and easily de-provision administrators by removing access from a centralized identity provider. This has business benefits, including enhanced security, improved efficiency, and compliance adherence.