Use case: Use version control for elements of ForgeRock Identity Cloud

Use case overview

This use case demonstrates a number of ways in which version control can be used with elements of ForgeRock Identity Cloud. These include:

Using built-in versioning for Terms & Conditions

One element of Identity Cloud with built-in version control is Terms & Conditions (T&Cs).

T&Cs are typically used as part of an end-user authentication or registration journey. You can define multiple versions of the T&Cs and set a version to “active” to ensure that the users accept the latest terms and conditions.

To create a new version of the T&Cs:

  1. Sign in to the Identity Cloud admin UI using your admin tenant URL, in the format https://<tenant-name>/am/XUI/?realm=/#/.

  2. Go to Terms & Conditions > New Version.

  3. Enter a version number for the new terms and conditions, then click Next.

  4. Enter the locale for which these terms and conditions apply (for example, en or fr), and then enter the text of your terms and conditions.

  5. Click Save as Draft or Publish.

  6. When publishing, click Set as Active Version if you want to make this the active version of your terms and conditions.

You can also set the active version of the T&Cs after they have been published.

Only one version of terms and conditions can be active at a time, for each locale.

See Terms and conditions for further information.

Utilizing a version control service for managing journey exports

You can build up your own repository of identity platform configurations in a version control service such as Git. This can include different versions of exported user journeys.

You can easily export user journeys and their dependencies via the Identity Cloud admin UI:

  1. Sign in to the Identity Cloud admin UI using your admin tenant URL, in the format https://<tenant-name>/am/XUI/?realm=/#/.

  2. Go to Journeys.

  3. Check the checkbox for one more journeys and click Export.

  4. Review the information on the Export Journeys page and click Export.

When you export a journey it looks for dependencies and gathers all that information into a JSON object. Dependencies might include node scripts, inner journeys and email templates.

The metadata exported with the journey includes where it was exported from, the date, and by whom. For example:

Once exported, you can pull the JSON object into your own version control service such as Git.

See Journeys for further information on importing and exporting journeys.

Utilizing a third-party auditing tool to analyze configuration changes

The auditing of changes made by Identity Cloud administrators is also important when considering version control.

All ForgeRock audit information can be exported via a REST API. The exported audit logs are typically ingested using a third-party audit tool, such as Splunk.

Using the Identity Cloud Splunk app

See How do I set up the ForgeRock Identity Cloud app for Splunk? for further information on setting up the Splunk app for Identity Cloud.

Splunk allows you to perform a very detailed search and analysis on changes to Identity Cloud configuration.

The following example search string looks for configuration changes made by a particular user:

source="forgerock" <userID> component="Config" http.request.method="POST"

In the results, you can view the configuration changes made by the specified user. In this example, you can see that the user has made a change to the Facebook social identity provider.

All audit logs include a tracking ID. An administration change may result in a number of individual audit log entries; the tracking ID can be used to aggregate these.

A more forensic search might look for any authorization policies that have been deleted, for example:

source="forgerock" component="Policy" http.request.path="https://<teant-name>/am/json/alpha/policies/" http.request.method="DELETE"

uc_splunk_del_policy

Additional resources

Documentation:

Training videos:

Other resources: