Post on 12-Apr-2017
© 2017 ForgeRock. All rights reserved.
Ludovic Poitou Director, Product Management
The Future is Now: What’s New in ForgeRock Directory Services
Michelle Fallon Senior Product Marketing Manager
© 2017 ForgeRock. All rights reserved.
Disclaimer
The presentation represents ForgeRock’s current view of its product development cycle and future directions. It is intended for information purposes only, and should not be interpreted as a commitment on the part of ForgeRock. ForgeRock makes no warranties, expressed or implied, on future functionality and timeline.
© 2017 ForgeRock. All rights reserved.
2010 Founded
10 Offices worldwide with headquarters in San Francisco
400+ Employees
600+ Enterprise Customers
50% Americas / 50% International commercial revenues
30+ Countries
ForgeRock The leading, next-generation,
identity security software platform, driving digital business.
© 2017 ForgeRock. All rights reserved.
Digital Transformation
© 2017 ForgeRock. All rights reserved.
Everyone And
Every Thing
Identity For
Customer Identity Relationship Management
© 2017 ForgeRock. All rights reserved.
ForgeRock Identity Platform
UMA Provider Mobile App Synchronization Auditing
LDAPv3 REST/JSON
Replication Access Control
Schema Management
Caching
Auditing
Monitoring
Groups
Password Policy
Active Directory Pass-thru
Reporting
Authentication Authorization Provisioning User Self-Service Authentication OIDC / OAuth2
Federation / SSO User Self-Service Workflow Engine Reconciliation Password Replay SAML2
Adaptive Risk Stateless/Stateful Registration Aggregated User View
Message Transformation
API Security Scripting
Built from Open Source Projects:
UMA Resource
Access Management Identity Management Identity Gateway
Directory Services
Com
mon
RES
T AP
I
Com
mon
Use
r Int
erfa
ce
Com
mon
Aud
it/Lo
ggin
g
Com
mon
Scr
iptin
g
© 2017 ForgeRock. All rights reserved.
Directory Services
• Specialized identity store • Rapid deployment • Global replication • Massive scale/performance • Extensive security • Password management • REST & LDAP APIs
1 self-contained
app
5 min. download
to install
1 module
1B+ entries
© 2017 ForgeRock. All rights reserved.
Directory Services Scalability
© 2017 ForgeRock. All rights reserved.
Directory Proxy Server
Access Layer
Directory Service Layer
LDAP | REST
dc=Tenant1,dc=com dc=Tenant2,dc=com
© 2017 ForgeRock. All rights reserved.
ForgeRock Directory Service 5.0
• Two Modules : Directory Server & Directory Proxy Server • Single download • Role selected at Installation
• setup [directory-‐server] –port 1389 … • setup proxy-‐server –port 1389 …
• New Setup tool, no more GUI
© 2017 ForgeRock. All rights reserved.
Directory Proxy Server
• Introduces a “Proxy Backend” • Remote services can be discovered:
• List of DS • List of Replication Servers
• Automatically handles replica DS • Also retrieves replica group to prioritize local servers
• Load-balancing: Affinity, Least requests • Failover with primary/secondary services • Uses “Proxy AuthZ control” between Proxy and DS
© 2017 ForgeRock. All rights reserved.
Supporting JSON
• Added support for JSON Syntax myA;r: { "_id":"bjensen", "_rev":"123", "name": { "first": "Babs", "surname": "Jensen" }, "age": 25, "roles": [ "sales", "admin" ] }
• JSON Validation configurable • Added JSON Matching Rules
ldapsearch … "(myA;r=age lt 30 and name/first sw ’b')"
• Can be indexed • Can be customized for finer indexing and matching
© 2017 ForgeRock. All rights reserved.
Indexing JSON Attributes $ dsconfig -‐h localhost -‐p 4444 -‐D "cn=Directory Manager" -‐w secret12 -‐X –n set-‐backend-‐index-‐prop -‐-‐backend-‐name userRoot -‐-‐index-‐name myA;r -‐-‐set index-‐type:equality $ dsconfig -‐h localhost -‐p 4444 -‐D "cn=Directory Manager" -‐w secret12 -‐X -‐n create-‐schema-‐provider -‐-‐provider-‐name "Json Schema" -‐-‐type json-‐schema -‐-‐set enabled:true -‐-‐set case-‐sensi_ve-‐strings:false -‐-‐set ignore-‐white-‐space:true -‐-‐set matching-‐rule-‐name:caseIgnoreJsonQueryMatch -‐-‐set matching-‐rule-‐oid:1.3.6.1.4.1.36733.2.1.4.1 -‐-‐set indexed-‐field:_id -‐-‐set "indexed-‐field:name/**"
© 2017 ForgeRock. All rights reserved.
REST 2 LDAP
• Sub-Resources • Sub-Types • Versioning • Multi-Tenant Support • Integration of Attributes with
JSON syntax • OAuth2 protected • Exposes API Descriptors
(OpenAPI)
© 2017 ForgeRock. All rights reserved.
DevOps
• Support and document use of HSM • HSM support through the JVM and PKCS11 • Now documented
• Easier automated deployments in the Cloud • Simplification of KeyStore(s) and TrustStore(s) • Possible to use expressions in config.ldif
• ds-‐cfg-‐listen-‐port: ${env['OPENDJ_PORT']} • ds-‐cfg-‐listen-‐port: ${readProper_es(config.proper_es)['port']} • But not through dsconfig
• Support running in Docker containers • Template images in Beta
© 2017 ForgeRock. All rights reserved.
More Security
• New Security Guide • New option to install for
production use • More secure default settings
• Password Policy • Cipher Suites
© 2017 ForgeRock. All rights reserved.
LDAP Based KeyStore
• Extension to Keytool and OpenDJ directory schema
• Centralizes public key, private management
• Everything is encrypted • And can be replicated for
availability
© 2017 ForgeRock. All rights reserved.
Directory Service 5.0 Summary
• One Download • Two Modules: Directory Server & Directory Proxy Server • First phase towards Elastic Horizontal Scalability, for the Cloud • Consolidated Backend Story. JE is here to stay. • JSON Support in the data • Secure REST and LDAP access • More security out of the box
© 2017 ForgeRock. All rights reserved.
Thank You