Está en la página 1de 5



Access Management in a Single Unified Solution

OpenAM, the only all-in-one open source access management solution,
provides the most innovative and comprehensive set of services required
for consumer facing identity relationship management as well as traditional
access management capabilities.

Unique Benefits

Only all-in-one access management

solution that includes Authentication,
SSO, Authorization, Federation,
Entitlements, Adaptive Authentication,
Strong Authentication, and Web
Services Security, in a single, unified

New and improved user self-service

capabilities cater to potentially very
large user communities, assuring ease
of use for demanding users all while
maintaining highest security levels.

Easy configuration of contextual

and adaptive authentication through
extensible scripts, and fine grained
authorization with a new policy editor
and policy REST APIs.

Improved session handling through

streamlined management of session
tokens and session failover across sites.

Many more REST APIs are exposed (e.g.

user self-service, policy, security token
service), open standards such as OAuth
2.0 and OpenID Connect are enforced
more strictly, token transformations are
possible (e.g. OpenID Connect to SAML
2.0), and versioning of REST APIs are

OpenAM is based on the Sun OpenSSO

codebase offering a simple upgrade
for former Sun customers to continue
with their current access management

Designed from inception to provide services for the web, cloud, mobile
devices and things, OpenAM has a highly scalable, modular, easy to deploy
architecture that includes Authentication, SSO, Authorization, Federation,
Entitlements, Adaptive Authentication, Strong Authentication, and Web
Services Security - in a single, unified product.
Modern customer facing identity solutions need to employ a light touch
when dealing with users, all while providing the highest possible security.
They need to deliver a great, easy to use service, empowering the user
wherever possible, such as through easy self-registration or password reset.
Otherwise they are very quick to go somewhere else.
Administrators need to be able to provide the delivery of a rich and
personalized experience, and need to provide modern contextual
authentication as well as fine grained authorization.
Developers expect to be able to produce services based on latest open
standards, and need to be able to build and provide those from any device.
The latest OpenAM release delivers on all of these requirements making it
great for users, administrators and developers alike.



Delivering on Identity Relationship Management

Kabel Deutschland, a Vodafone Company, achieved stable

and high-performance access with ForgeRock OpenAM,
providing this both externally to its end customers as well as
internally to sales support portals.

We needed to go beyond an employee-centric

solution and grant our customers secure access
to the relevant parts of our internal systems. We
had to find a flexible platform that could handle
identities for our internal and external users,
ensure that each person only gained access to
the relevant parts of the systems, and scale to
support millions of users. We chose ForgeRock
to provide a state of the art, customer IAM
solution with a highly reliable support structure.
MATTHIAS RBEL-OTTERBACH, Head of Web Application
Development, Kabel Deutschland, A Vodafone Company


ForgeRock OpenAM provides secure, personal access to

the Toyota Touch 2 with Go device. Built into the vehicles
dashboard, the device provides information, entertainment,
enhanced navigation, and connected services.

ForgeRock OpenAM enables us to

deliver a real-world Internet of Things
experienceallowing us to use the
car itself as an identity to provide
authentication to the services platform.
KOSTAS GKIRKiZAS, Senior Project Manager, Car IT
Information Systems, Toyota Motor Europe




Modular Architecture

100% Java-based architecture allows deployment across many platforms.

Developer and admin friendly, with task based GUI, REST, C and Java developer tools,
and comprehensive documentation.

Service provider interfaces (SPIs) provide a framework to extend all service modules
such as adding custom authentication modules, federation plug-ins, policy conditions.

Supports large-scale implementations with millions of users and thousands of

authentications per second.

Requires less hardware at scale, decreasing datacenter cost and complexity.

High availability with out-of-the-box persistent session failover enables support of

complex, multi- site environments.

OpenDJ comes embedded as a configuration store and a highly scalable and highperformance session-persistent store.

Zero administration cycles needed to onboard and maintain user accounts.

Users are empowered to work to their own schedule.

Service is automatic and immediate.

Service is exposed over REST enabling custom or mobile front-ends to utilize it.

Makes it as easy as possible for new users to be able to access protected resources.

Draws new customers in by removing the need to complete lengthy registration forms.

Administrators can integrate with Social IDPs in less than 1 minute.

Easy to write scripts, which can call external identity proofing services, ensure a greater
knowledge about who the user is and what their context is.

Scripts can be used to assess risk, calling up stronger authentication mechanisms only when
necessary, which makes life easier for users whilst maintaining the security of the system.

These custom scripts increase the level of assurance and intelligence that the service
provider has, enabling a more informed interaction with the user.

A device identification script can be used to make a risk-based assessment of

authenticity. Users logging in from unknown devices are more risky than those from
previously identified ones.

Additional factors can be employed to mitigate risk in these cases, whilst a streamlined
process can be used to make life easier for transactions from trusted devices.

The APIs exposed in OpenAM 12 enable sophisticated policies to be authored.

These policies can ensure the right information goes to the right people under the right

Externalizing policies with OpenAM simplifies applications, and provides postapplication deployment flexibility.

OpenAM can control who can do what, to which resources, under certain specific
conditions. OpenAM 12 extends how we specify the who to allow the use of an OpenID
Connect token.

This can be used for authorization in scenarios where there is no current user session,
for example, when an offline batch processing routine acts on behalf of a user.

Performance, Scalability,
High Availability

User Self-Service

Social Authentication

Contextual Authentication
(using new Scripting Engine)

Scripted Device
Identification Modules

Fine-grained policy APIs

Extended Authorization





New Policy Editor

This delivers greater control over who can do what, when, and under which conditions.

Using point and click, drag and drop operations, sophisticated policies can be built to
deliver controlled access to resources.

By allowing policies to be externalised to rich XACML-format files, policies can be held in

version control repositories. Policies can then be restored or pushed into production by
importing them back into OpenAM.

It can also be used to track who has made changes to a given policy over time, and what
those changes were.

Widely used in mobile and web applications, OAuth 2.0 and OpenID Connect standards
are rigorously enforced ensuring greater interoperability and consistent behaviour for

The Mobile Profile is an emerging standard which extends OpenID Connect to deliver
attributes which are important in the mobile world. By including Level of Assurance and
other information as part of the token, OpenID Connect can be used in deployments
requiring high security, whilst delivering a convenient experience for the end user.

Adaptive Authentication including device fingerprinting ensures mobile devices are


REST APIs allow developers to create device agnostic applications. The same API can be
used to access OpenAM from a Web or a native mobile application.

OATH/Soft Token Generator, MSISDN and HOTP (One Time Password) capabilities
enable multi- factor and mobile authentication.

Easily create federated SSO connections with SaaS apps via a GUI-based wizard or can
use out-of- the-box, Google Apps connectors among others.

Easily setup social authentication with Google, Facebook, MSN, or any OAuth 2.0 provider.

Simple click through setup of Federation IDP and SPs using SAML, OpenID Connect and
OAuth 2.0.

Exposes functions as simple identity web services, so developers can easily invoke them
during the app development process.

Provides client application programming interfaces with REST, Java and C APIs.

RESTful APIs enable JSON or XML over HTTP, allowing users to access authentication,
authorization, and identity services from web applications using simple REST clients.

Policy Export and Import

Mobile Support

Cloud Support

Developer Support





REST STS for Token


A token transformation service which makes life easier for developers to convert
between many identity token types, such as SAML assertions, OpenID Connect tokens,
X.509 certificates and Single-Signon tokens.

For example, a mobile app developer which has possession of an OpenID Connect
Token can easily generate a SAML assertion to access resources held by a federated
service provider.

Developers calling OpenAM REST APIs can be insulated from interface changes by using
a specific version of an API.

Server upgrades will not break existing clients.

All major federation protocols: SAML 1.x, SAML 2.0 (SP, IdP, ECP, and IdP Proxy), WSFederation (asserting, relying party).

Next gen-federation standards for cloud and mobile include full implementation of
OpenID Connect and OAuth 2.0 (consumer, provider, authorization server).

All Web Services security standards- Liberty ID-WSF, WS-I Basic Security Profile, WSTrust (STS), and WS-Policy.

FICAM (Federal Identity, Credential, and Access Management) compliant - initiative

defined by the U.S. Federal Government to simplify identity and access management
across government systems.

OATH and HOTP standards that allow a mobile phone to be used as a second factor

XACML for fine-grained authorization policy definition, import, export.

Support included for IPv6, Java 6, 7, and 8.

REST API Versioning

Extensive Standards











About ForgeRock The ForgeRock Identity Platform transforms the way millions of customers and citizens interact with businesses and governments
online, providing better security, building relationships, and enabling new cloud, mobile, and IoT offerings from any device or connected thing. ForgeRock
serves hundreds of brands like Morningstar, Vodafone, GEICO, TomTom, and Pearson, as well as governments like Norway, Canada, and Belgium, among
many others. Headquartered in San Francisco, California, ForgeRock has offices in London, Bristol, Grenoble, Oslo, Singapore, and Vancouver, Washington.
ForgeRock is privately held, backed by leading global venture capital firms Accel Partners, Foundation Capital, and Meritech Capital. For more information
and free downloads, visit or follow ForgeRock on Twitter at

ForgeRock is the trademark of ForgeRock Inc. or its subsidiaries in the U.S. and in other countries.