Moving to ForgeRock Identity Cloud

You’ve decided to move to ForgeRock Identity Cloud! First of all, congratulations! We look forward to helping you simplify your life, lower your risks, realize business benefits earlier, and provide you with the latest technology wrapped up in our ForgeRock Identity Cloud Platform.

Let’s answer some of the more common questions:

How will you build your ForgeRock Identity Cloud solution?

During your ForgeRock Identity Cloud project, ForgeRock gives you access to our Identity Cloud Technical Consultants, and a Customer Deployment Manager who will work with your organization and your chosen Partner/SI to build your initial offering. This will involve assistance in designing and building your Identities and applications to meet your organization’s requirements, migrating your users to the platform, connecting your required applications, and whatever other requirements you have.

Customers can create support tickets at any time through Backstage. These tickets can be used for moving configuration between environments and secrets management. Learn about promoting configuration.

Where is ForgeRock Identity Cloud?

ForgeRock is a proud Google Cloud Premier Partner. As such, our Identity Cloud solution resides in the regional Google Cloud Platform (GCP). Engineered for Google Cloud, ForgeRock Identity Cloud is built with a multi-tenant cloud architecture with full customer isolation. More information about ForgeRock’s partnership with Google Cloud can be found [here](

What is available in ForgeRock Identity Cloud?

Access to Identity Cloud is done through a variety of packages, each giving you access to more and more underlying functionality.

For detailed information about these packages, go here. Underlying the ForgeRock Identity Cloud solution is our comprehensive ForgeRock Identity Platform.

What components sit in ForgeRock Identity Cloud?

At a very high level, ForgeRock Identity Cloud contains the following.

ForgeRock is responsible for managing these components, including upgrading, monitoring, promoting configuration, and all other maintenance tasks. What this means for you is:

* No deployments
* No upgrades
* No system management
* Round the clock monitoring

Also, during the deployment, our project team can help you design and build the functionality inside your ForgeRock Identity Cloud.

What components sit outside of ForgeRock Identity Cloud?

Some of the components will sit outside of Identity Cloud, but are still part of your overall solution. These can reside in your own cloud, or on-premise; the actual location will depend on your use cases and organization's structure. These components are the responsibility of the organization to install and maintain. This will require the provisioning of resources like hardware/virtual machines/containers, and your chosen SI. Our Technical Consultants can help you ensure your solution is designed with high availability, performance, and security in mind.

ForgeRock Identity Gateway (IG**)** can play many roles, and is often called the Swiss Army knife of the ForgeRock Identity Platform. For more information about IG and its use cases, see here.

A common example is an SSO-enabled reverse proxy protecting applications. IG can enforce SSO by Identity Cloud, and also ensure the user is authorized to access the resources. In this simple example, your authentication journeys and authorization policies are configured in Identity Cloud, and IG ensures applications are protected correctly to meet organizational objectives. While there are many other use cases for IG, the point is that IG sits outside of Identity Cloud, but securely communicates to offer protection.

The diagram below, which can be found in more detail here, illustrates how IG protects applications and APIs backed by Identity Cloud.

ForgeRock’s Policy Agents also sit to offer SSO/Web protection, often installed on the applications server. The actual use cases will dictate the correct component. More information on Policy Agents can be found here.

Remote connector server

Data synchronization to/from ForgeRock Identity Cloud to your on-premise applications, i.e., Active Directory, ForgeRock Directory Services, and/or other supported applications, is a very common requirement. You’ll find documentation regarding the remote connector server (RCS) setup on the Identity Cloud Connect Identities page.

In order to securely connect from ForgeRock Identity Cloud into your organization, ForgeRock provides the remote connector server (RCS). The RCS is a Java application that is installed inside the organization’s boundary, and contains the connectors that are required to communicate to various supported applications. The IDM component of ForgeRock Identity Cloud has a built-in connector server, and when IDM is installed inside the organization, can use its built-in server. Because ForgeRock Identity Cloud is now out there in the cloud, it is necessary to separate IDM and its connector server to ensure that traffic to/from cloud to on-premise is secure.

The following diagram illustrates a typical RCS architecture where the RCS is placed behind the firewall. This diagram and more information can be found in the IDM documentation.

Software Development Kits

ForgeRock’s services are available over our common REST API, including authentication, authorization, management of identities, and even the service itself. To make these REST services even easier to consume, ForgeRock provides you with our software development kits (SDKs), supported on iOS and Android, as well as JavaScript. The SDKs eliminate unnecessary complexity and increase platform agility. The SDKs can be embedded into your web page or app to add capabilities like SSO, device profiling, and user registration, all backed by Identity Cloud. ForgeRock provides tutorials and examples of SDK’s usage that the organization’s UI team can use when developing their ForgeRock Identity Cloud-secured applications. FogeRock provides comprehensive documentation on our SDK’s here and an entire site dedicated to the SDK here.

SIEM Tools and Auditing

ForgeRock Identity Cloud provides an API to retrieve and view the logs, and stores the logs for 30 days. More details about Identity Cloud audit logging can be found here. Each of our customers use their own SIEM tools to collate and present audit data according to internal policies and procedures. The setup of the SIEM tools like Splunk and QRadar are therefore the responsibility of the organization.

Helpful Links

Other Articles by This Author

1 Like