OpenAM
All-In-One solution to securely manage access to digital
enterprise and customer services, anytime and anywhere.
Unique Benefits
OpenAM, the only “all-in-one” open source access management solution, provides the most innovative and comprehensive set of services required for consumer facing identity relationship management as well as traditional access management capabilities.
Designed from inception to provide services for the web, cloud, mobile devices and things, OpenAM has a highly scalable, modular, easy to deploy architecture that includes Authentication, SSO, Authorization, Federation, Entitlements, Adaptive Authentication, Strong Authentication, and Web Services Security - in a single, unified product.
Modern customer facing identity solutions need to employ a light touch when dealing with users, all while providing the highest possible security. They need to deliver a great, easy to use service, empowering the user wherever possible, such as through easy self-registration or password reset. Otherwise they are very quick to go somewhere else.
Administrators need to be able to provide the delivery of a rich and personalized experience, and need to provide modern contextual authentication as well as fine grained authorization.
Developers expect to be able to produce services based on latest open standards, and need to be able to build and provide those from any device. The latest OpenAM release delivers on all of these requirements making it great for users, administrators and developers alike.
■ Only “all-in-one” access management
solution that includes Authentication, SSO, Authorization, Federation, Entitlements, Adaptive Authentication, Strong Authentication, and Web Services Security, in a single, unified product.
■ New and improved user self-service
capabilities cater to potentially very large user communities, assuring ease of use for demanding users all while maintaining highest security levels.
■ Easy configuration of contextual
and adaptive authentication through extensible scripts, and fine grained authorization with a new policy editor and policy REST APIs.
■ Improved session handling through
streamlined management of session tokens and session failover across sites.
■ Many more REST APIs are exposed (e.g.
user self-service, policy, security token service), open standards such as OAuth 2.0 and OpenID Connect are enforced more strictly, token transformations are possible (e.g. OpenID Connect to SAML
FORGEROCK.COM || FORGEROCK OPENAM DATASHEET
Delivering on Identity Relationship Management
“We needed to go beyond an employee-centric
solution and grant our customers secure access
to the relevant parts of our internal systems. We
had to find a flexible platform that could handle
identities for our internal and external users,
ensure that each person only gained access to
the relevant parts of the systems, and scale to
support millions of users. We chose ForgeRock
to provide a state of the art, customer IAM
solution with a highly reliable support structure.”
MATTHIAS RÜBEL-OTTERBACH, Head of Web Application
Development, Kabel Deutschland, A Vodafone Company
ForgeRock OpenAM enables us to
deliver a real-world ‘Internet of Things’
experience’—allowing us to use the
car itself as an identity to provide
authentication to the services platform.”
KOSTAS GKIRKiZAS, Senior Project Manager, Car IT —
Information Systems, Toyota Motor Europe
Kabel Deutschland, a Vodafone Company, achieved stable and high-performance access with ForgeRock OpenAM, providing this both externally to its end customers as well as internally to sales support portals.
ForgeRock OpenAM provides secure, personal access to the Toyota Touch 2 with Go device. Built into the vehicle’s dashboard, the device provides information, entertainment, enhanced navigation, and connected services.
■ Supports large-scale implementations with millions of users and thousands of authentications per second.
■ Requires less hardware at scale, decreasing datacenter cost and complexity.
■ High availability with out-of-the-box persistent session failover enables support of complex, multi- site environments.
■ OpenDJ comes embedded as a configuration store and a highly scalable and high-performance session-persistent store.
■ Zero administration cycles needed to onboard and maintain user accounts.
■ Users are empowered to work to their own schedule.
■ Service is automatic and immediate.
■ Service is exposed over REST enabling custom or mobile front-ends to utilize it.
■ Makes it as easy as possible for new users to be able to access protected resources.
■ Draws new customers in by removing the need to complete lengthy registration forms.
■ Administrators can integrate with Social IDPs in less than 1 minute.
■ Easy to write scripts, which can call external identity proofing services, ensure a greater knowledge about who the user is and what their context is.
■ Scripts can be used to assess risk, calling up stronger authentication mechanisms only when necessary, which makes life easier for users whilst maintaining the security of the system.
■ These custom scripts increase the level of assurance and intelligence that the service provider has, enabling a more informed interaction with the user.
■ A device identification script can be used to make a risk-based assessment of authenticity. Users logging in from unknown devices are more risky than those from previously identified ones.
■ Additional factors can be employed to mitigate risk in these cases, whilst a streamlined process can be used to make life easier for transactions from trusted devices.
Features
Benefits
Performance, Scalability, High Availability User Self-Service Social Authentication Contextual Authentication (using new Scripting Engine)Scripted Device Identification Modules
■ 100% Java-based architecture allows deployment across many platforms.
■ Developer and admin friendly, with task based GUI, REST, C and Java developer tools, and comprehensive documentation.
■ Service provider interfaces (SPI’s) provide a framework to extend all service modules such as adding custom authentication modules, federation plug-ins, policy conditions.
FORGEROCK.COM || FORGEROCK OPENAM DATASHEET
Features
Benefits
New Policy Editor
Policy Export and Import
Mobile Support
Cloud Support
Developer Support
■ This delivers greater control over who can do what, when, and under which conditions.
■ Using point and click, drag and drop operations, sophisticated policies can be built to deliver controlled access to resources.
■ By allowing policies to be externalised to rich XACML-format files, policies can be held in version control repositories. Policies can then be restored or pushed into production by importing them back into OpenAM.
■ It can also be used to track who has made changes to a given policy over time, and what those changes were.
■ Widely used in mobile and web applications, OAuth 2.0 and OpenID Connect standards are rigorously enforced ensuring greater interoperability and consistent behaviour for developers.
■ The Mobile Profile is an emerging standard which extends OpenID Connect to deliver attributes which are important in the mobile world. By including Level of Assurance and other information as part of the token, OpenID Connect can be used in deployments requiring high security, whilst delivering a convenient experience for the end user.
■ Adaptive Authentication including device fingerprinting ensures mobile devices are trusted.
■ REST APIs allow developers to create device agnostic applications. The same API can be used to access OpenAM from a Web or a native mobile application.
■ OATH/Soft Token Generator, MSISDN and HOTP (One Time Password) capabilities enable multi- factor and mobile authentication.
■ Easily create federated SSO connections with SaaS apps via a GUI-based wizard or can use out-of- the-box Salesforce.com, Google Apps connectors among others.
■ Easily setup social authentication with Google, Facebook, MSN, or any OAuth 2.0 provider.
■ Simple click through setup of Federation IDP and SPs using SAML, OpenID Connect and OAuth 2.0.
■ Exposes functions as simple identity web services, so developers can easily invoke them during the app development process.
■ Provides client application programming interfaces with REST, Java and C APIs.
■ RESTful APIs enable JSON or XML over HTTP, allowing users to access authentication, authorization, and identity services from web applications using simple REST clients.
Features
Benefits
REST STS for Token Transformation
REST API Versioning
Extensive Standards Support
■ A token transformation service which makes life easier for developers to convert between many identity token types, such as SAML assertions, OpenID Connect tokens, X.509 certificates and Single-Signon tokens.
■ For example, a mobile app developer which has possession of an OpenID Connect Token can easily generate a SAML assertion to access resources held by a federated service provider.
■ Developers calling OpenAM REST APIs can be insulated from interface changes by using a specific version of an API.
■ Server upgrades will not break existing clients.
■ All major federation protocols: SAML 1.x, SAML 2.0 (SP, IdP, ECP, and IdP Proxy), WS-Federation (asserting, relying party).
■ Next gen-federation standards for cloud and mobile include full implementation of OpenID Connect and OAuth 2.0 (consumer, provider, authorization server).
■ All Web Services security standards- Liberty ID-WSF, WS-I Basic Security Profile, WS-Trust (STS), and WS-Policy.
■ FICAM (Federal Identity, Credential, and Access Management) compliant - initiative defined by the U.S. Federal Government to simplify identity and access management across government systems.
■ OATH and HOTP standards that allow a mobile phone to be used as a second factor authentication.
■ XACML for fine-grained authorization policy definition, import, export.
