© 2017 ForgeRock. All rights reserved.

Ludovic Poitou Director, Product Management

The Future is Now: What’s New in ForgeRock Directory Services

Michelle Fallon Senior Product Marketing Manager

© 2017 ForgeRock. All rights reserved.

Disclaimer

The presentation represents ForgeRock’s current view of its product development cycle and future directions. It is intended for information purposes only, and should not be interpreted as a commitment on the part of ForgeRock. ForgeRock makes no warranties, expressed or implied, on future functionality and timeline.

© 2017 ForgeRock. All rights reserved.

2010 Founded

10 Offices worldwide with headquarters in San Francisco

400+ Employees

600+ Enterprise Customers

50% Americas / 50% International commercial revenues

30+ Countries

ForgeRock The leading, next-generation,

identity security software platform, driving digital business.

© 2017 ForgeRock. All rights reserved.

Digital Transformation

© 2017 ForgeRock. All rights reserved.

Everyone And

Every Thing

Identity For

Customer Identity Relationship Management

© 2017 ForgeRock. All rights reserved.

ForgeRock Identity Platform

UMA Provider Mobile App Synchronization Auditing

LDAPv3 REST/JSON

Replication Access Control

Schema Management

Caching

Auditing

Monitoring

Groups

Password Policy

Active Directory Pass-thru

Reporting

Authentication Authorization Provisioning User Self-Service Authentication OIDC / OAuth2

Federation / SSO User Self-Service Workflow Engine Reconciliation Password Replay SAML2

Adaptive Risk Stateless/Stateful Registration Aggregated User View

Message Transformation

API Security Scripting

Built from Open Source Projects:

UMA Resource

Access Management Identity Management Identity Gateway

Directory Services

Com

mon

RES

T AP

I

Com

mon

Use

r Int

erfa

ce

Com

mon

Aud

it/Lo

ggin

g

Com

mon

Scr

iptin

g

© 2017 ForgeRock. All rights reserved.

Directory Services

•  Specialized identity store •  Rapid deployment •  Global replication •  Massive scale/performance •  Extensive security •  Password management •  REST & LDAP APIs

1 self-contained

app

5 min. download

to install

1 module

1B+ entries

© 2017 ForgeRock. All rights reserved.

Directory Services Scalability

© 2017 ForgeRock. All rights reserved.

Directory Proxy Server

Access Layer

Directory Service Layer

LDAP | REST

dc=Tenant1,dc=com dc=Tenant2,dc=com

© 2017 ForgeRock. All rights reserved.

ForgeRock Directory Service 5.0

• Two Modules : Directory Server & Directory Proxy Server • Single download • Role selected at Installation

•  setup  [directory-­‐server]  –port  1389  … •  setup  proxy-­‐server  –port  1389  …

• New Setup tool, no more GUI

© 2017 ForgeRock. All rights reserved.

Directory Proxy Server

•  Introduces a “Proxy Backend” • Remote services can be discovered:

•  List of DS •  List of Replication Servers

•  Automatically handles replica DS •  Also retrieves replica group to prioritize local servers

• Load-balancing: Affinity, Least requests • Failover with primary/secondary services • Uses “Proxy AuthZ control” between Proxy and DS

© 2017 ForgeRock. All rights reserved.

Supporting JSON

• Added support for JSON Syntax myA;r:  {  "_id":"bjensen",  "_rev":"123",  "name":  {  "first":  "Babs",  "surname":  "Jensen"  },  "age":  25,  "roles":  [  "sales",  "admin"  ]  }

•  JSON Validation configurable • Added JSON Matching Rules

ldapsearch  …  "(myA;r=age  lt  30  and  name/first  sw  ’b')"

• Can be indexed • Can be customized for finer indexing and matching

© 2017 ForgeRock. All rights reserved.

Indexing JSON Attributes $  dsconfig  -­‐h  localhost  -­‐p  4444  -­‐D  "cn=Directory  Manager"  -­‐w  secret12  -­‐X  –n set-­‐backend-­‐index-­‐prop  -­‐-­‐backend-­‐name  userRoot -­‐-­‐index-­‐name  myA;r  -­‐-­‐set  index-­‐type:equality $  dsconfig  -­‐h  localhost  -­‐p  4444  -­‐D  "cn=Directory  Manager"  -­‐w  secret12  -­‐X  -­‐n   create-­‐schema-­‐provider  -­‐-­‐provider-­‐name  "Json  Schema"   -­‐-­‐type  json-­‐schema  -­‐-­‐set  enabled:true -­‐-­‐set  case-­‐sensi_ve-­‐strings:false  -­‐-­‐set  ignore-­‐white-­‐space:true -­‐-­‐set  matching-­‐rule-­‐name:caseIgnoreJsonQueryMatch -­‐-­‐set  matching-­‐rule-­‐oid:1.3.6.1.4.1.36733.2.1.4.1 -­‐-­‐set  indexed-­‐field:_id  -­‐-­‐set  "indexed-­‐field:name/**"  

© 2017 ForgeRock. All rights reserved.

REST 2 LDAP

• Sub-Resources • Sub-Types • Versioning • Multi-Tenant Support •  Integration of Attributes with

JSON syntax • OAuth2 protected • Exposes API Descriptors

(OpenAPI)

© 2017 ForgeRock. All rights reserved.

DevOps

• Support and document use of HSM •  HSM support through the JVM and PKCS11 •  Now documented

• Easier automated deployments in the Cloud •  Simplification of KeyStore(s) and TrustStore(s) •  Possible to use expressions in config.ldif

•  ds-­‐cfg-­‐listen-­‐port:  ${env['OPENDJ_PORT']} •  ds-­‐cfg-­‐listen-­‐port:  ${readProper_es(config.proper_es)['port']} •  But not through dsconfig

• Support running in Docker containers •  Template images in Beta

© 2017 ForgeRock. All rights reserved.

More Security

• New Security Guide • New option to install for

production use • More secure default settings

•  Password Policy •  Cipher Suites

© 2017 ForgeRock. All rights reserved.

LDAP Based KeyStore

• Extension to Keytool and OpenDJ directory schema

• Centralizes public key, private management

• Everything is encrypted • And can be replicated for

availability

© 2017 ForgeRock. All rights reserved.

Directory Service 5.0 Summary

• One Download • Two Modules: Directory Server & Directory Proxy Server • First phase towards Elastic Horizontal Scalability, for the Cloud • Consolidated Backend Story. JE is here to stay. •  JSON Support in the data • Secure REST and LDAP access • More security out of the box

© 2017 ForgeRock. All rights reserved.

Thank You