Holy Grail for the Cloud

04.12.2012 by Dave Kearns

Back in August (“Open Source IAM – is it right for you?”) I wrote about my friend Brad Tumy’s Open Source Identity Solutions list and spent a paragraph or two on ForgeRock OpenAMб which, I told myself, I’d try to get back to with more information for you. So recently I chatted with ForgeRock’s John Barco (director of product marketing) and Jamie Nelson (Vice President of Engineering), both of whom I’d first met when they were at Sun Microsystems. John & Jamie filled me in and what’s happening with ForgeRock, and I’d like to pass that information along to you. First, though, I want to talk about a surprise I had recently.

It’s a new book on an Identity subject! It’s been a number of years since I’ve seen a new, “dead trees”, tome about Identity but here was one. It has the less-than-catchy title of Microsoft Forefront Identity Manager 2012 R2 Handbook. On the other hand, you know right away what it’s about. And that’s everything you need to know about FIM 2012R2. Published by the UK’s Packt Publishing Co., and written by Kent Nordström, a sub-contractor to Microsoft Consulting Services, the book, while dry, is far from the mind-numbing handbooks we were familiar with in the 90’s. Instead, it is presented as a (fictional) case study of a company implementing FIM 2010R2. It’s detail-rich, but quite readable cover to cover as well as being easy to use as a post-implementation reference. If you’re interested in Forefront Identity Manager, this is a good bet for you.

Now back to ForgeRock.

John & Jamie reminded me that the world, and the world of Identity, had changed considerably from the one we talked about when we’d first met a decade ago. Today’s Identity stack needed:

  • To support enterprise, social, mobile & cloud environments
  • Lightweight APIs for easy, accessible adoption
  • To play well with others – developers, partners, competitors
  • Internet Scale

Fortunately, they said that ForgeRock had these characteristics:

  • Unified platform (Not a marketing bundle)
  • Identity Everywhere – Enterprise, Cloud, Social & Mobile
  • Simple, lightweight, developer friendly API
  • Internet Scale for big data identity transactions

The three major modules (OpenAM, OpenIDM, OpenDJ), they told me, were developed together, not bolted on to one another as some other Identity stacks are. They share a common API, common modules and a common user interface.

OpenAM (Access Management) they consider the first “All-in-One” Access Management solution delivered as a single, unified product. It includes Authentication, SSO, Authorization, Federation, Entitlements, Adaptive Authentication, Strong Authentication, and Web Services Security in a single, unified product.

OpenIDM (provisioning) they referred to as “Lightweight Provisioning at Internet Scale.” They contend that it is the only User Administration and Provisioning solution purpose-built to manage user access and accounts across enterprise, cloud, social, and mobile environments.

OpenDJ (directory services) is not your father’s directory. With OpenDJ, according to Nelson, you no longer need to be an LDAP expert; you can choose either LDAP or REST to access identity data using a single solution that can replicate data across on and off-premise applications. That’s important to today’s software developers I’m told.

I can’t hope to go into all of the relevant details here so you should check the website, download the data sheets and see if there’s a good fit for what you want to do. Meanwhile, I’ll continue with what John, Jamie and I talked about.

The software is being used in over 130 countries worldwide with North America and Europe having relatively equal shares of almost 50%. What didn’t surprise me was learning that over 50% of the company are former Sun Microsystem employees including almost all of the executive staff.

I did wonder about scalability, not something open source products are usually known for. Barco noted that one client using OpenAM (a telecommunications giant) had over 40 million user accounts in play and implied that hardware, not software, was the only bottleneck they’d encountered.

As you should know, here at KuppingerCole we’re very much in favor of Identity as a Service (IDaaS) and I was pleased to learn that the OpenForge Identity Stack was ready to go for any service provider wishing to offer a cloud-based identity solution. The guys explained:

  • Multi-tenant architecture enables a single instance of OpenAM to serve multiple organizations (tenants)
  • Designed for a service provider to virtually partition data across multiple customer environments, and configured for a secure, customized virtual instance
  • Dynamically scales as needed, with the ability to add and remove capacity if and when it is required

From the user’s perspective, OpenAM is as easy to use as IDaaS as it is as a traditional desktop system:

  • Enables users to sign in once and launch their web applications by simply clicking an icon in the Cloud Dashboard
  • Cloud Dashboard login increases user productivity and significantly strengthens security by hiding the complexity of URLs, passwords, and usernames unique to each service
  • Admins can easily create federated SSO connections with SaaS apps via the GUI-based wizard or can use Salesforce.com, Google Apps, or WebEx connectors provided out of the box

All-in-all, the OpenForge Open Identity Stack is a worthy opponent to the high-flying corporate Identity Suites on the market today and well deserves a look-in from you. Scott McNealy, former CEO of Sun and an advisor to ForgeRock recently said ““Knowing who’s who, what’s what and who gets access to what is the holy grail of web and cloud computing.” I couldn’t have said it better myself.


  • jimpasquale

    ForgeRock appears to be on the right rocky trail with some cool wiz bang services coming from the enterprise out. Kind of a top down look and not bottom up from the view of "my sovereign identity", a very hot topic in the personal cloud (pCloud) space of late.

    I'm wondering if anyone is starting to think about the linkages to an individuals personal cloud and the ramifications to these lightweight APIs. As in the end anything with an identity will have it's own API. See Phil Windley's from Potholes to Picos http://www.windley.com/archives/2013/04/potholes_and_pic... now that's some persistent data that requires lots of identities and management around them.

    Thanks for the update Dave, certainly an interesting read.

  • http://cadourireusitepentrufemei.yolasite.com/ ada

    It's all about the social sphere these days. You're right, today’s Identity stack needs to support enterprise, social, mobile & cloud environments.

Services
© 2014 Dave Kearns, KuppingerCole