Directory Services with the ForgeRock Identity Platform - So What’s New?
Download as PPTX, PDF1 like774 views
Forgerock is a leading identity security software platform, established in 2010 with a global presence and significant funding. The document discusses the transition from perimeter-based to identity-centric security, emphasizing the complexities and needs of modern enterprises for identity relationship management. It highlights the Forgerock Identity Platform's capabilities in access management, identity management, and centralized directory services, which are built from various open-source projects.
Directory Services with the ForgeRock Identity Platform - So What’s New?
- 1. © 2016 ForgeRock. All rights reserved. Directory Services with the ForgeRock Identity Platform - So What’s New? • Ludovic Poitou – Product Manager • Rob MacDonald, Product Marketing Director
- 2. © 2016 ForgeRock. All rights reserved. 2010 Founded 10 Offices worldwide with headquarters in San Francisco 350+ Employees 450+ Customers 30+ Countries $52M Funding to date (thru Series C) by Accel Partners, Foundation Capital and Meritech Capital Partners ForgeRock is the leading, next-generation, identity security software platform.
- 3. © 2016 ForgeRock. All rights reserved. Perimeter-Based Security Identity-Centric Security Enables Digital Business Untrusted Trusted Inhibits Digital Business Old Security Model is Broken. Security Must Now Be Identity-Based. Enables Digital BusinessInhibits Digital Business
- 4. © 2016 ForgeRock. All rights reserved. Changes are adding Complexity Employees Employees & Partners Perimeter Perimeter Federation Things Perimeter-less Federation Cloud SaaS Mobility Consumers Perimeter-less Federation Cloud / SaaS ComplexityofScale Complexity of Experience
- 5. © 2016 ForgeRock. All rights reserved. Identity Access Management Customers (millions) On-premises People Applications and data PCs Endpoints Workforce (thousands) Partners and Suppliers Customers (millions) On-premises Public Cloud Private Cloud People Things (Tens of millions) Applications and data PCs PhonesTablets Smart Watches Endpoints Forrester Report Nov 2015: Market Overview: Customer Identity And Access Management (CIAM) Solutions Identity Relationship Management Business Has Changed: Enterprises Now Require Identity Relationship Management (IRM) Business Has Changed: Enterprises Now Require Identity Relationship Management (IRM)
- 6. © 2016 ForgeRock. All rights reserved. ForgeRock A Unified, Agile Platform Approach Legacy Software Acquisition Architecture Niche Vendors Component Strategy FINE-GRAINED ENTITLEMENTS …ADAPTIVE AUTHN IDENTITY MANAGEMENT ACCESS MANAGEMENT IDENTITY FEDERATION DIRECTORY SERVICES AUTHORIZATION SERVICES ? … IDENTITY PLATFORM Access Management | Identity Management Directory Services | Mobile and API Gateway ForgeRock PLATFORM
- 7. © 2016 ForgeRock. All rights reserved. Enterprise AppsMobile Apps Things Cloud Single Architecture | Next Generation | Open | Chip-to-Cloud Deployments | IRM Identity ManagementAccess Management Directory Services Identity Gateway Platform Strategy
- 8. © 2016 ForgeRock. All rights reserved. Shared Services : User Interface, Self-Service, REST API, HTTP, Scripting, Audit and Logging Federation Synchronization Authentication & Strong Authentication Identity Provisioning Application & Service Gateway Authorization & UMA Provider Workflow Engine IoT Identity Gateway Adaptive Risk Self-Service Password Capture & Replay UMA Protector Access Management Identity Management Identity Gateway Data Store High Availability Data Segmentation LDAP / REST Directory Services Open Standards, High Availability, On-Premises, Cloud, Hybrid The ForgeRock Identity Platform is built from the open source projects OpenAM, OpenIDM, OpenIG and OpenDJ The ForgeRock Identity Platform
- 9. © 2016 ForgeRock. All rights reserved. Directory Services – Core Capabilities Data Store High Availability Multi-Master Replication Rest & LDAP
- 10. © 2016 ForgeRock. All rights reserved. REST/JSON Access Control Groups LDAPv3 Caching Schema Management Monitoring Audit Logging Services Layer Password Policies Backend Services Persistence LDIF Change Log Replication Dynamic Attributes Access Layer ForgeRock REST OpenDJ SDK LDAPv3 DSML Admin ConsoleUI Layer ForgeRock Identity Platform: Directory Services
- 11. © 2016 ForgeRock. All rights reserved. Database Backend • New backend called “PDB” • Local-backend moved to similar structure, called “JE” • Better disk efficiency • Better performances • Tuned for OAuth2 and OpenID Connect services
- 12. © 2016 ForgeRock. All rights reserved. Replication Improvements • New Replication ChangeLog • Less disk utilization • Smarter cleanup • High Availability and Failover for “cn=changelog”
- 13. © 2016 ForgeRock. All rights reserved. Splitting Binaries from Data • At Setup • How ? instance.loc • Still 1 instance for 1 set of binaries 13
- 14. © 2016 ForgeRock. All rights reserved. Other improvements • Certificate Matching Rules & GSER (Community Contribution) • PKCS5S2 Password Storage • New privilege to access cn=Changelog • Password Update with REST to LDAP • New audit capabilities (across ForgeRock platform)
- 15. © 2016 ForgeRock. All rights reserved. Demo
- 16. © 2016 ForgeRock. All rights reserved. summits.forgerock.com
- 17. © 2016 ForgeRock. All rights reserved. Thank You
Editor's Notes
- #15: Finally, OpenDJ 3 includes a large number of new features and improvements. The most significant ones are outline here, but for the complete details, you will need to check the release notes. Certificate Matching Rules… Certificates are based from X.500 standards, the historical parent of LDAP. Both standards use ASN.1 notation and BER encoding, but in different ways. In LDAPv3, the certificates are treated as Opaque Byte Strings. The only thing possible is adding, reading, and comparing certificates as whole. The Certificate Matching Rules define a way to express filters and queries on specific fields within certificates. For example, finding the users who have a certificate with a specific alias, those whose certificates are expiring soon or have expired... PKCS5S2 is secure password storage scheme similar to the PBKDF2 scheme introduced in OpenDJ 2.6. It is compatible with the algorithm used by Atlassian Crowd and allow migration of passwords stored and used in that product. The ”cn=Changelog” suffix is governed by the same global ACIs as all other public name spaces. However, the suffix can contain very sensitive data, including password changes. We’ve addde a privilege to restrict the access to it, in a similar way that there is a ”config read” privilege. REST to LDAP has been enhanced. Most important change is the ability to change passwords now. Finally, across all our products, we’ve added a common auditing capability, with common features and a common output format. This allows to track operations and transactions across the entire ForgeRock Identity Platform, to simplify management and log processing for all products.