Technology Trends

From Evolution to Revolution

How COVID-19 has accelerated digital transformation


As shelter-in-place restrictions caused by COVID-19 slowly start to lift around the world, the notion that it will be “business as usual” is far from reality. At this stage, we know comparatively little about the virus and its long-term impact on business. But there are definite indicators based on the countless conversations I’ve been having with customers in the last eight weeks that companies with strong digital identity strategies have fared much better than those that did not.

The discussions I’ve had with leaders inside financial institutions, media conglomerates, and others offer some very interesting insights into how customer preferences, needs, and expectations might evolve in the coming months. Here are my virtual “notes from the road,” which I hope are useful to any organization looking for guidance on starting their rebuilding efforts in a post-pandemic world. 

COVID-19 has forced dramatic change in the digital world

The pandemic has pushed organizations to accelerate their digital transformation at an unprecedented pace. Pre-COVID-19, most businesses were on an evolutionary path to digital transformation. Now, necessity has forced them into a digital revolution. 

Overnight, our customers saw spikes in online traffic at levels normally associated with special events such as Black Friday or the Olympics – events where, historically, people had months or years to plan. COVID-19 afforded no preparation time. Huge spikes in activity across e-tail, education, healthcare, banking, telecommunications, and other sectors  became a reality as both adults and children turned to a new remote way of life and working. Simultaneously, an uptick in malicious activity took place, as cybercriminals tried taking advantage of organizations that slashed red tape and bureaucracy in a desperate effort to keep up.

At ForgeRock, we believe this is a moment of truth for brands. An organization’s core mission won’t change because of COVID-19, but how they deliver on it has. Ensuring secure access and a streamlined, frictionless user experience are vital to maintaining competitive advantage. As a result, identity and access management (IAM) has emerged as a top priority. Even as some organizations cut spending, digital identity remains a must-have priority, with most identity and access management initiatives moving forward with even greater urgency.

Seize the opportunity to disrupt 

Looking at the situation optimistically, we see this time as a unique opportunity for your business to rally and to stand apart from the rest. Zoom is a perfect example of a brand that has achieved cultural awareness as a result of the global health crisis. It has moved beyond the enterprise and is now one of the primary ways housebound people connect worldwide.

“Getting identity right” means making it easy for your customers to connect to you digitally –  making it easy to login, reset passwords, receive personalized digital content, and feel secure, with respect for their privacy. Users deserve a digital experience that is both simple and safe. Getting identity right could change the trajectory of your company and make your brand a household word. By 2022, it’s estimated that businesses that provide great customer experiences are projected to earn 20% more in revenue than those with less than optimum customer experience.1

Identity technology is an enabler

The data we’ve gathered from our own customers attests to this. ForgeRock has enabled many organizations to scale up in order to meet consumer demand. Here are real-world examples of how organizations across multiple sectors adapted quickly to address the changing needs of both consumers and the workforce.

  • Scale at unprecedented levels: A large media organization serving a major European country had to scale dramatically during COVID to accommodate billions of access requests from citizens tuning in for live news updates and streaming content at different times of day. Historically, events of this scale would be related to a major sports event or an important political event and would be planned for months or years in advance. With COVID-19, this scale is occurring daily.  
  • Massive switch from “in-person” to digital relationships overnight: Overnight, a large banking organization saw a 300% increase in online/mobile banking while also experiencing a 51% decrease in local branch foot traffic.
  • Rapidly mobilizing a new remote workforce: One large financial company shared a common experience of going from 95% of the workforce located in offices pre-COVID-19 to the same number now working from home. The impact to productivity was felt immediately by both IT professionals and staffers when the rollout of new collaboration apps for virtual whiteboarding and video chat began and the need for multi-factor authentication for securely implementing remote work became apparent. 
  • Black Friday every day: Many of our retail customers reported unprecedented increase in online activity – surpassing Black Friday level traffic. DevOps and auto-scaling capabilities in ForgeRock IAM have been critical in supporting these levels of traffic.
Zero Trust timelines have accelerated by over a year

Zero trust and “identity as the new perimeter” have been popular thought leadership topics in IAM and often on an organization’s roadmap, but in the midst of COVID-19, the roadmap for accomplishing these initiatives has been accelerated by a year or more. 

In addition to navigating  increased customer demand, many organizations have also come to realize that their traditional approach to digital identity management falls short in enabling all their employees to work remotely and to access applications securely. The need to adopt a work-from-home policy for employees has put pressure on capacity for many businesses. Realizing that there is no such thing as a trusted network or device, organizations are now opting for risk-based authentication and authorization methods. 

Another concern is an increase in Coronavirus-themed security threats – from phishing campaigns to fraud. A joint alert issued by the U.K. and U.S. lists more than 2,500 COVID-19-related scams. It’s more critical than ever to provide a secure online experience for all types of users on all types of devices. ForgeRock helps you protect user privacy while ensuring secure connections on all their things.

Consequently, the adoption of a Zero Trust model – the foundation of the ForgeRock IAM Platform – has accelerated.

Enable safe and simple digital access

With more people relying on online services, it’s critical to ensure that the first steps in any digital journey are smooth and seamless. It’s often at login that you are most at risk of losing users, especially when they have forgotten their usernames or passwords. We will soon roll out new capabilities that ensure you retain customers – regardless of their technical skill level –  during the login process. Soon you’ll be able to quickly and easily determine who the user is, what device they are on, and what their preferences are.  

Protect digital users

During COVID-19, everyone has opened themselves up digitally to a greater extent. This new “all digital” lifestyle has caused people to want more control over their data and privacy. Our self-service privacy and consent dashboards enable users to securely share and revoke or authorize consent. We also offer users choices, asking them whether they prefer passwordless or password-driven logins. 

As the digital revolution unfolds in all of its permutations, we are here to help you meet and exceed the expectations of your customers and employees alike. When it comes to digital identity, remember: you are not alone. Find useful resources at Connect Everyone


 1. Gartner Identity and Access Management Summit, Keynote: “The Future Identity and Access Management in 2019 and Beyond,” Gregg Kreizman and Mary Ruddy.





Bring Digital Identity Out of the Shadows to Fuel Digital Transformation

CPO Vision


Everyone that has anything to do with security is all too familiar with the term “Shadow IT,” which applies to situations when users across virtually all departments in an organization access applications and services without the authorization of corporate IT. Driven by the consumerization of IT and the convenience of the cloud, Shadow IT has introduced significant risk to enterprises due to lack of visibility and control. 

Today, as more businesses invest in their digital transformation – to the tune of more than $3.7 billion in 2019, according to Gartner – they are faced with yet another security and privacy challenge that also undermines the customer experience and hampers business success, namely Shadow Identity, or “Shadow ID.”

What is Shadow ID?

In the process of creating and delivering new digital services for their customers, business units within an organization can inadvertently create identity silos. In many organizations, a fragmented approach to identity consists of legacy, home-grown, and off-the-shelf point solutions that create a crazy quilt of applications that cause what we now call Shadow ID. This occurs primarily because organizations lack a unified consumer identity and access management (CIAM) solution  and oversight over the process. 

The end result is that a single customer who signs up for various digital services with a company may actually have multiple sets of identities. Every time an innovative digital service is rolled out to users, there is the potential for another identity silo to crop up. So why is that a problem?

  • The user experience suffers in a big way. Let’s consider this simple scenario: A large financial institution offers an array of services – from ATMs to bank cards to online banking portals to mortgage loans, and more – and requires customers to create separate logins for each of these. Each department at this bank houses this customer identity data in a different silo for each service, and these silos are disconnected. When customers call their branch to have a question answered, they are typically shunted around to different people before they have a conversation with someone who has their customer information (and even that may be incomplete or inaccurate). The end result is a frustrated customer who gets even more frustrated with each engagement across all channels.
  • Cross-sell opportunities are limited. Without a single source of truth about customer identities, it’s difficult to perform meaningful marketing analytics. And without reliable analytics, companies will have a hard time cross-selling services to their existing customers and delivering personalization for online applications and services. Clearly, Shadow ID can hinder business growth and put organizations at a disadvantage vis a vis competitors who have a unified identity architecture that can provide better, more streamlined customer experiences.
  • Shadow Identity increases security risk to enterprises. Identity silos inherently result in an inconsistent security posture due to differing password-strength and reset policies and some services requiring multi-factor authentication but not others. Further, as security and identity standards evolve (examples: HTTP/2, mutual TLS, and newer crypto algorithms), it’s nearly impossible to consistently update disparate identity silos in unison, and this exposes the enterprise to greater risk. 
  • Identity silos create privacy and compliance problems. Fragmented identity silos make it increasingly difficult to keep up with ever-changing government and industry regulations. The EU General Data Protection Regulation (GDPR), which imposes strict regulations on usage and sharing of private customer data, is an excellent case in point. Without a single view into all customer identity data points, GDPR compliance becomes exceedingly difficult, if not impossible. Additionally, when a customer chooses to opt out of a service, managing this process across multiple silos becomes a hugely painful and time-consuming effort.
Enter the ForgeRock Digital Identity Platform

At ForgeRock, we help people safely and simply access the connected world by enabling exceptional digital experiences, no compromise security, and comprehensive functionality at any scale with simple, flexible, and rapid implementations. With ForgeRock, you can address – and get ahead of – the requirements of the digital Disruptive Economy. Using ForgeRock’s comprehensive, flexible customer identity and access management (CIAM) technology, you can support customer experiences that exceed expectations and foster consumer trust and loyalty to create new opportunities for growth and competitive advantage.

At ForgeRock, we are well aware of the pitfalls of Shadow ID and are passionate about helping our customers grow and innovate while offering a safe and frictionless experience for their users. It’s all about giving the right people the right access at the right time – by using the right IAM platform

Learn more about how to connect everyone, anywhere, or contact us to get started.


Media Giant BBC Credits Digital Identity Strategy as One Key to Success During Pandemic


As COVID-19 continues to affect our world, the importance of keeping citizens informed is even more critical now than ever. Media giants like the British Broadcasting Company (BBC) have found themselves serving as a central player in helping millions of people stay connected and safe with new programming and services aimed at educating, entertaining, and keeping everyone calm – from small children to aging adults. 

The venerable brand has met the challenge by mobilizing its workforce quickly to work remotely and by doubling down on a digital transformation strategy grounded in identity in order to handle a massive influx of consumer demand that came to the BBC nearly overnight.  

We recently talked with Matt Grest, director of platform for the BBC, to learn how his organization is able to successfully keep employees productive and provide the essential information consumers need during the crisis. 

Supporting Remote Workers

ForgeRock: When it became obvious that working from the office was no longer possible, how were you able to get your team operational from home quickly? 

Matt: We were fortunate in many ways. I have about 350 people on my Platform team at the BBC. Many already had experience working remotely before the pandemic hit and were using best practices, like morning stand-up meetings. To help make the shift smooth for everyone, we were also able to quickly give employees instant access to appropriate applications so they could continue their work from home. In the last six weeks, I’ve been very fortunate that my team has continued to be productive whilst our offices were running at about 10% capacity. We’re still in the early days, but it’s appearing that efficiencies are comparable, if not better, than with the on-premises working model. 

Scaling to Meet Demand 

ForgeRock: Seismic shifts in audience size can present unexpected risk. What sort of growth have you seen?

Matt: We’re getting World Cup numbers every day at 5 p.m., right when everyone tunes in to hear what the Prime Minister is saying about the COVID-19 crisis. Millions of people want the information instantaneously and in different formats, such as video, text, and audio. Our challenge is to respond to this ever-increasing demand and provide seamless service to our audience.

During the COVID-19 crisis, we are experiencing record numbers of customers tuning in for live news updates and streaming content every day. We’re also seeing changes in usage patterns, such as significantly more consumers demanding content in the middle of the day. Meeting scalability challenges is something that never goes away. As an increasing number of people shift their viewing habits away from traditional broadcast TV and onto digital platforms, scaling up to meet this demand becomes a daily focus for us. In 2017 we introduced the ability for our audience to sign-in to iPlayer. Getting people signed in means we can offer them a truly personalised experience. Now, in 2020 the majority of people in the UK have a BBC account and use it to access our personalised online services. Again, this posed another huge scalability challenge as we had to build out our systems to cope with an ever-increasing demand.

Launching New Services and Content

ForgeRock: Meeting the needs of consumers across a wide range of demographics can’t be easy. What challenges have you faced? 

Matt: In addition to supporting remote workers and changing capacity, we are also rolling out new content and services. In April 2020, we introduced BBC Bitesize, a website that provides parents and students with free videos, step-by-step guides, activities, and quizzes by level and subject. We relaunched the service within weeks and saw three million people use the service on launch day, with zero downtime. 

Children can be more challenging to authenticate. Article 8 of the GDPR dictates that users under the age of 16 need parental consent to access content. We deliver highly personalised, age-appropriate experiences in a compliant manner while ensuring kids are using their own accounts versus their parents. Kids can even authenticate their identities via voice-first commands, an age-specific preference that could have been difficult but we were able to deliver it with minimal headaches. 

Personalized Data Is Better Data

ForgeRock: Offering personalized services adds significant value for your consumers. But with that comes a huge responsibility to protect a vast amount of customer data. How do you earn the trust of your users?   

Matt: A personalised BBC makes for a better BBC. Once we get our audience signed in, we can then understand people’ likes, dislikes, device preference, time-of-day usage, and more in order to deliver a bespoke and optimal user experience. At the same time, we must remain compliant in keeping customers’ data secure and allow users to opt out of the personalised experience if they desire. 

Future Scalability Considerations

ForgeRock: Innovation is at the heart of what you deliver every day for millions of customers. What’s next at the BBC? 

Matt: The future is digital, and the biggest ongoing challenge for us is scalability. Today, we keep users signed in for two years (compare that with banks that log users off after a few minutes of inactivity). In addition, each user leverages the BBC with three different devices, on average. With 45 million users working with three to four devices, it could be a big challenge to manage access and active sessions, but we have the right technologies to help us meet our goals.

As we look to introduce more new and exciting services over the next few years, continuing to scale up our ability to deal with increasing millions of people who wish to access an ever-increasing amount of content is an ongoing challenge for us  – a challenge our team thrives on.  

The BBC is a public service, and we need to keep pace with customers, but we can’t leave anyone behind. For example, we need to balance expanding our digital content and services whilst also catering to the audiences who prefer to tune in via traditional channels like radio and television.

As a BBC consumer personally, I am one of those who enjoy BBC content, such as the fabulous TV show “Killing Eve.” I can’t wait to see what they offer us next.

As Director of Platform, Matt is responsible for leading the transformation of the BBC’s digital and broadcast products into a fully integrated platform, bringing together the BBC’s content library, digital archive and audience services into a single integrated platform, and preparing the BBC for an Internet-fit future. Since starting at the BBC in 2017 Matt has created the Platform Group; bringing together teams around the UK that provide content and personalisation services to the BBC’s digital products, and created a single integrated organisation. Matt sponsors the BBC’s Step into Tech initiative, giving women training and a pathway into a digital career. Matt has also sponsored the BBC’s technology expansion in Glasgow. Prior to joining the BBC, Matt was Director of Digital Platforms at Sky, where he was responsible for the technology that powers Sky's Digital products. Matt also lead the creation of Sky's digital hub in Leeds. Previous roles include leading the team responsible for the main NHS digital platform, leading technology teams on large scale financial services mergers and acquisitions, and took an ISP from start-up through to exit.

Identity Connects Everyone to Everything, Everywhere 

Find out how ForgeRock delivers work from home and online consumer experiences at scale here.

Announcing the ForgeRock University Achievement Awards

Each year, the ForgeRock University team comes together to reflect on the accomplishments of our team, instructors, and Authorized Training Partners. We are thrilled to announce our ForgeRock University Achievement Award winners. 

We created the University Achievement Awards to recognize outstanding performance in the areas of student experience, growth, and innovation. Leveraging Six Sigma standards and the results from our “Metrics that Matter” study, we were able to identify those high flyers who really made a difference in the past year. 

Our Achievement Awards highlight the outstanding performance of one instructor and one Authorized Training Partner. 

Drumroll please!

The Outstanding Authorized Training Partner Award goes to ExitCertified/TechData Academy (US). 

ExitCertified was ForgeRock's first Authorized Training Partner, joining the family in 2015. It is a delight to watch our old friends succeed and push themselves harder each year. Between 2018 - 2019, they delivered nearly 20% year-over-year growth in student days. This means that about one-third of all ForgeRock University's 2019 student days can be contributed to ExitCertified's incredible efforts. Additionally, their dedicated team managed to increase the overall quality of class delivery during this time of growth. This is an achievement to be applauded and more than worthy of our Outstanding Authorized Training Partner Award!

The Outstanding Instructor Achievement Award goes to Rajesh Rajasekharan of Red Education (APJ).

Technology Evangelist Rajesh teamed up with Red Education as an instructor back in 2017, delivering public and specialized private classes all across the Asia-Pacific region. He is one of our most sought-after instructors, with students regularly reaching out and highlighting his incredible expertise, patience, and interactive way of teaching. 

Having over a decade of experience as an instructor, Rajesh strives to enable the best student experience possible at all times. And it shows. Rajesh’s overall score resulted in a performance rating of 95.1%, making him the first ForgeRock instructor to win this award twice in a row!

Please join us in congratulating our outstanding partners and instructors for their fantastic achievements. We look forward to seeing who claims the outstanding achievement awards next year.

Learn New Skills

Want to learn new skills and prepare for a new world of work? ForgeRock University is offering a 50% discount on all live virtual classes from now until the end of July 2020. In addition, students enrolled in certification-related classes will receive a complimentary voucher to take a ForgeRock Certified Specialist Exam before year end. Recent additions to the curriculum include ForgeRock Identity Governance workshop and Deploying the ForgeRock Identity Platform Using DevOps Techniques. Learn more here


How ForgeRock’s DevOps Deployment Model Speeds Time to Market

Combining IAM with Docker and Kubernetes gives you competitive advantage 

Time is of the essence when it comes to developing and deploying capabilities that support remote work and online business. One of the best ways to speed time to market, scale for peak demand, and increase efficiency is by using a modern identity and access management (IAM) solution that supports a multi-cloud DevOps deployment model utilizing containerization and orchestration technologies, such as Docker and Kubernetes. With the cloud now a top enterprise strategic priority and more workloads shifting to cloud platforms every year, it’s imperative that these workloads be protected. 

New Demands Create Challenges for Traditional IAM 

IAM enables organizations to connect users to all their services with seamless and secure access from any device. For any new services needed, identity authentication and management is essential. However, traditional IAM solutions are complex and difficult to deploy. They lack the scalability and flexibility needed for quickly rolling out new services, upgrades, or releases. Modern IAM solutions need to be agile in order to quickly respond to market demand. This requires rearchitecting IAM to support automated and continuous delivery requirements essential for DevOps across any cloud. Supporting a DevOps approach and containerizing IAM using Docker and Kubernetes allows for greater flexibility when deploying IAM solutions.

What Is Docker and Kubernetes? 

Docker is a tool designed to make it easier for developers to quickly create, deploy, and run applications at scale and in any environment by using containers. Containers allow a developer to bundle an application with all of the parts it needs – such as libraries, code, and other dependences – and deploy it as one package. Developers can focus on writing code without worrying about the system that it will be running on. Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Together, Docker and Kubernetes enable developers to orchestrate and deliver faster services with flexible deployment options, whether in an on-premises, hybrid, or multi-cloud environment. 

The Power of DevOps and Identity 

Large enterprises face identity challenges around slow time-to-market development, high deployment costs, and lack of resources and skill sets. What's needed is a cost-effective way to speed and streamline deployment, maintenance, and management with a comprehensive identity platform. 

A modern identity platform will enable you to build and maintain a production-grade, DevOps-enabled, referenceable, cloud-ready architecture that enables automated multi-cloud deployments – leveraging Docker and Kubernetes. These capabilities reduce the time you spend managing and configuring software, increase the speed of deployment, and allow you to focus on delivering business results, thereby increasing your overall productivity and competitive advantage. In fact, customers that leverage ForgeRock DevOps deployment model have accelerated projects by three to six months and have saved 25% on implementation costs. With the right identity solution, organizations can easily protect workloads in any cloud; support millions of any type of identity; enable rapid solution development in a repeatable way; and conduct fast, simple, and highly available deployments – all without sacrificing rich features and extensibility. This ultimately leads to immediate business benefits, including accelerated time to market, increased flexibility in rolling out new services, availability and scalability, and time savings. 

Microservice architectures, DevOps and agile development as new paradigms, and container-based deployments are changing the way IT is done. There are obvious benefits in moving to such architectures, such as increased flexibility and lower cost of operations, but also increased security.   – KuppingerCole 

The ForgeRock Difference

By making it easy to utilize the power of Docker and Kubernetes technology, ForgeRock provides the fastest and most flexible multi-cloud IAM deployment options. Our cloud deployment model removes complexity and can help you accelerate time-to-market development, making it easy for you to deploy millions of identities in minutes, on any cloud, whether it’s Amazon Web Services (AWS), Google Cloud, or Microsoft Azure. You can validate deployment options against ForgeRock benchmark results and analyze the most cost-effective cloud solution based on multiple factors so that your organization can reduce costs, ensure optimal performance, availability, and reliability to meet customer demand quickly.

Learn more about our multi-cloud and DevOps solutions. For a technical deep dive, watch this on-demand webinar on Running IAM using Docker and Kubernetes. 


IAM 101 Series: Federation and Federated SSO

What It Is, Why It’s Important, and How It Enables Our Online Lives

As highlighted in our blog post, IAM 101 Series: Single Sign On (SSO), people all over the world are utilizing digital apps and services to access their jobs, stores, schools, and health services remotely from their homes now more than at any other time in history. 

In fact, the Associated Press (AP) reports: “Transaction volumes in most retail sectors have seen a 74% rise in March (2020) compared to the same period last year, while online gaming has seen a staggering increase of 97%, according to analysis by ACI Worldwide of hundreds of millions of transactions from global online retailers.”

Breaking down the rise in retail by sector, the AP article shows the following increases in transaction volumes for March 2020 compared to last year:

  • Home products and furnishings: +97%
  • Do it Yourself (DIY) products: +136%
  • Garden essentials: +163%
  • Electronics: +26.6%
  • Telco: +18.6%

Sadly, the increase in online transactions brings with it an increase in cybercrime and fraud. Just weeks ago the BBC reported: “Scammers are sending 18 million hoax emails about Covid-19 to Gmail users every day.”

With this explosion in online traffic and cybercrime, organizations and service providers are continuously asking the question: “How do we provide the easy online access our workforce and consumers want and need securely?”

Identity and access management (IAM) and federated single sign on (SSO) are the answer. They are the behind-the-scenes secret sauce that enables secure, easy online access for billions of users and all their connected things around the globe. 

So, what is federated SSO, and how does it work? Let’s review the single sign on basics first and go into federation from there.

Single Sign On (SSO) Basics: A Review

In the blog post IAM 101 Series: Single Sign On (SSO), we discuss single sign on in its simplest form within the security perimeter of an organization. In a nutshell, all SSO relies on an IAM component called an identity store to house user credential information and data (such as usernames and passwords) for multiple resources (such as apps, services, and systems). This one identity store to many resources ratio is what allows internal users to log into multiple resources with one set of credentials – hence, single sign on. Identity stores are part of, and managed by, identity and access management (IAM) systems.

When users such as employees are within an organization’s IT security perimeter or firewall, SSO is relatively simple. The resources are internal, and the user has already been vetted to some degree. Therefore, there is an existing level of trust and security. 

But what about when a user or resource is not internal to an organization, such as an online banking customer or an employee using externally hosted software like Salesforce? How do they gain secure access to those apps and systems? 

Enter identity federation and federated SSO.

Identity Federation and Open Standards: The Building Blocks of Federated SSO 

For those new to identity access management and SSO, the word ‘federation’ means a united, trusted relationship between two or more entities, such as schools, businesses, government agencies, and so on. For example, the U.S. Federal Government is a federation of states. 

Identity Federation, IAM, and Open Standards are the magic behind the curtain empowering our digital lives.

For purposes of IAM and SSO, a trusted union of entities is called an identity federation. Identity federations use agreed-upon protocols based on open standards that allow the federated organizations’ IAM systems to securely talk to one another in order to share data and access to resources across organizational perimeters. Open standards accomplish this by creating and passing encrypted tokens that contain user data, such as a username and password, between the federated IAM systems. Commonly used open standard protocols for federation include OAuth, WS-Federation, WS-Trust, OpenID Connect, and SAML. 

Fun fact: ForgeRock’s very own Chief Technology Officer, Eve Maler, is one of the original authors of the SAML and UMA open standards, among others.

Identity federation, IAM, and open standards enable organizations to conduct business securely with third parties, such as partners, and individuals, such as customers, by allowing each organization to know who is interacting with them and what they’re enabled to do and to trust that the interaction between them is secure. This is significant because it means that identity federation, IAM, and open standards are the magic behind the curtain empowering our digital lives.

What Is Federated Single Sign On?

Building from the section above, federated single sign on is a capability only made possible by identity federation, IAM, and open standards. Because secure, encrypted communication can flow between federated IAM systems, you can therefore authenticate with one organization to gain access to resources hosted by another organization(s). This is the basis of federated single sign on. For example, when you log into an app using your social media credentials (called social sign on), it means that the social media organization is federated with the organization offering the app. Additionally, federated SSO allows you to authenticate once to then gain access to multiple resources, such as authenticating to open your mobile phone or tablet and then getting direct access to your third-party apps.

Federated SSO translates into better user experiences because it provides greater accessibility to apps and services without the headache of having to remember multiple usernames and passwords. Additionally, for organizations, federated SSO results in better security, engagement, and conversion.

Why ForgeRock for Federated SSO and IAM? The Ease and the Results

The ForgeRock Identity Platform is the most extensive IAM platform on the market and offers the very latest federated SSO capabilities, such as passwordless authentication,  which allows users to securely authenticate without usernames and passwords (yes, really). A distinguishing feature of the ForgeRock platform is its ability to give organizations the latest IAM and SSO capabilities and enable them to quickly coexist with legacy IAM systems or easily replace them.

With ForgeRock, one of the largest wireless communications providers removed 99% of the friction in their login process and decreased fraud by 25%

For example, one of the world’s largest wireless communications services providers, with more than 100 million wireless customers, was using Oracle Open SSO and required open standards, such as OAuth, SAML, OIDC, and so on. After careful consideration of many providers, they selected ForgeRock because our platform includes many of the capabilities they sought right out of the box, such as open standards support. 

The results that this large communications company realized with ForgeRock are outstanding. In terms of SSO, they removed 99% of the friction in the login process, resulting in superior customer experiences and improved customer trust. They also increased their security by decreasing fraud occurrences by 25%.

The benefits of ForgeRock are wide-ranging. In addition to bridging the gap from legacy SSO systems, the ForgeRock platform also includes integrations from the industry’s largest technology partner network, so you can leverage the latest single sign on practices, as well as easily extend your IAM capabilities to other areas without having to vet numerous vendors or buy multiple point solutions.

Interested in learning more? Read the latest trends and IAM requirements for securing and supporting your remote workforce and online consumers and citizens.


Cloud Series: Authorize Anyone, Anything with Macaroons

What are Macaroons? 

Macaroons are access tokens that use contextual authorization to confirm that the user is who they say they are, and that no one is impersonating them. Developed by Google, Macaroons are improvements on traditional cookies that reduce the scope or capability of a given token or allow for more distributed capabilities. Macaroons offer a new type of token format, specifically used with OAuth2/OIDC scopes, and they are available in the Identity Cloud.

In traditional token-based authentication, access tokens represent the authorization of a specific application to access specific parts of a user’s data. They are kept confidential with only the application itself, the authorization server, and resource server ever seeing the token. To allow for a new set of use cases to be focused on distributed capabilities, macaroon-based tokens can be verified cryptographically away from the issuer, using standard libraries and can replace regular access tokens. 

Access and Refresh Tokens 

Traditional access tokens are short-lived because, if leaked, they grant potentially malicious users access to the resource-owner resources. However, clients may need to access the protected data for periods of time that exceed the access token lifetime or when the resource owner is not available. In some cases, it is unreasonable to ask for the resource owner's consent several times during the same operation.

Refresh tokens solve this problem. They are long-lived by default and allow you to configure the lifetime of the tokens in the OAuth 2.0 Provider settings, or in each client. Refresh tokens, as opposed to Access tokens, allow the clients to ask for a new access token without further interaction from the resource owner. However, refresh tokens can only be used once.

More Secure

Macaroons are a new type of bearer token that can be used when issuing OAuth 2.0 access and refresh tokens. They allow caveats to be appended to restrict or to provide context for how a token can be used. They can also provide additional security, as these tokens can be restricted temporarily.

For example, you can add a 5-second expiration time to a macaroon access token before sending it to an API. Additionally, you can bind it to a TLS client certificate before use. And it is possible to create as many macaroons as needed from the single access token, and the scope of each can be restricted by the trusted client using a caveat.

Distributed Access 

Macaroons can also be used in place of regular access tokens, as they allow the sharing of the single access token with multiple clients and resource servers, without compromising on security. Rather than issuing multiple access tokens with different scopes, ForgeRock, acting as the authorization server, issues one access token wrapped in a macaroon, which has a broad scope. As many macaroons as needed can be created from the single access token, and the scope of each can be restricted by the trusted client using a caveat.

Caveats further add the ability for clients to restrict how the macaroon token can be used. The ability to add caveats make macaroons very useful for delegation, for example in a microservice architecture. The client can delegate to other services, with a limited set of capabilities, bound by certain restrictions. For example, the client can append a token with a caveat that shortens the expiry time, or reduces the scope of the token, after it has been issued. Let’s say a user has an account receive and account payable with a bank. You can caveat the token with a macaroon so that the user cannot perform both actions on the same account within a 5 minute time window.

Continuous Authorization 

Macaroons continuously authorize that the user is who they say they are and that no one is impersonating them via contextual authorization. They do this by using a hash-based message authentication code (HMAC), a mechanism for calculating a message authentication code that includes a hash function. 

Macaroons can be used when issuing OAuth 2.0 access and refresh tokens. They allow you to authorize resource access using bearer tokens that can be appended with caveats. They are based on a construction that is highly efficient, easy to deploy, and widely applicable.

Learn more about the Identity Cloud here. Or contact your sales rep today.

Gain Early Access and Help Shape Our AI Risk Engine


Starting today, we are extending the ForgeRock AI Risk Engine Early Access program to include new security features. This is an exciting opportunity to preview how we’re harnessing state-of-the-art AI to accomplish a Zero Trust or CARTA security model.   

Leveraging AI to continuously inspect and adapt real-time access based on historical behavior and orchestrate real-time response is a powerful way to reduce account takeovers and insider threats at the point of access, while delivering delightful user experiences.    

In this phase, we are targeting a select group of customers (both CIAM and Internal)  to help influence our roadmap.  The early access program has two paths: one for design advisors, and one for design advisors plus data providers. For the latter, we ingest a participant’s anonymized production ForgeRock platform data, provide a dashboard, and then work together to identify threats and risks for AI Model Tuning.  ForgeRock’s development and data science teams work closely with all early access program participants.

We are making tremendous progress and need your continued feedback to help us further enhance what will become an integral part of the ForgeRock Identity Platform that will run in the ForgeRock Identity Cloud.   

Today the ForgeRock AI Risk Engine can:
  • Identify and detect outliers and anomalies and respond with a risk score.
  • Respond by requiring multi-factor authentication (MFA) or allowing a user access without a challenge.
  • Leverage the power of trees to orchestrate risk journeys around partner network nodes, access management (AM)-adaptive risk nodes, and the AI Risk Engine.
  • Visualize Anomalies and Risks

Future releases will provide organizations with continuous verification, explainability, end-user and administrator inputs for model enhancement, global learnings, and additional actions and remediations integrated directly into the platform. The engine will leverage continuous insights from the entire ForgeRock Identity Platform to optimize both user experience and security, while helping customers achieve Zero Trust or CARTA security model.     

We’re excited to invite you to help us gather feedback and shape the future of the ForgeRock AI Risk Engine. If interested, request an invitation to the ForgeRock AI Risk Engine Restricted Early Access Program today.

Fueling Groundbreaking Innovation Across the Digital Identity Landscape

CPO Vision  


We entered 2020 with a strong focus on what’s next in the digital identity landscape and a strategy aimed at turbo-charging our plans to infuse cloud and artificial intelligence into every aspect of the ForgeRock Identity Platform. Just recently, our ambitious plans got some extra fuel.

As most of you are aware, we recently announced a $93.5 million Series E round of fundraising led by Riverwood Capital. This infusion of capital will enable us to fund our investment in key innovations that will continue to help our customers drive exceptional experiences for their workforces, consumers, and things.

Identity is what makes digital access possible. It’s our passport to the digital world. If organizations do it well, they can reap significant business benefits. And, if they do it poorly, it can actually be detrimental to their business. 

At ForgeRock, we are dedicated to helping people access the connected world safely and simply. We firmly believe that identity done right is a force multiplier for positive business outcomes – like delivering better user experiences that will help increase customer loyalty and conversion rates and improve employee productivity, providing stronger security and privacy, reducing risk and improving compliance, and cutting costs. 

Now, more than ever before, as organizations work toward realigning how they conduct business in the face of a global pandemic, identity is foundational to their success today and in the future. As renowned technology investor Mary Meeker points out in her recent report on the economic and social impact of COVID-19, companies that have transitioned to digital are in the best position to emerge from the current crisis in a position of strength. We have always believed that identity is mission-critical. And today, as organizations are preparing for a post-pandemic comeback and the new normal we are well positioned to help them succeed. 

With that in mind, let’s take a look at how ForgeRock’s product strategy supports the accelerated pace of digital transformation – unlike any other vendor in this space.

First, ForgeRock’s full-suite, comprehensive identity offering is unique in the industry. The ForgeRock Identity Platform unifies a set of advanced technologies – identity management, access management, directory services, user-managed access, edge security, and identity gateway – in a cohesive way to address the needs of any organization at any stage of maturity. We will continue investing significantly in our core platform, which serves as the identity fabric that enables new business and digital services while integrating with your legacy IAM systems and applications.

Second, we are investing heavily in artificial intelligence (AI). We have a unique, differentiated vision of AI as an enabler of autonomous identity and access management. In essence, our platform leverages AI to predict, provision, and protect good access and to detect, prevent, and remediate bad access. All this is done with high confidence and in ways that can be interpreted and explained.

The third pillar of our product strategy is the cloud. When it comes to the cloud, our customers will have freedom of choice. Whether it’s their cloud, a third-party cloud platform, or our cloud, they will derive the same benefits from ForgeRock technology. An extension of our vision for the cloud is our market-first identity platform as a service solution. With this round of funding, we will continue to invest in ForgeRock Identity Cloud, which provides our full-suite, comprehensive identity offering as a service, making it easier for organizations to solve more use cases with a single solution rather than having to stitch together different point products.

This latest round of funding during an unprecedented time in recent history underscores the fundamental contribution ForgeRock is making to the advancement of a safe, easy-to-access digital world. We pledge to continue to drive innovation and support the digital transformation of our customers and their users.

Read the recent press release announcing our series E funding.

Access Control, UMA, and Everyday Experiences

In the first blog of this series, “Create Better User Experiences by Applying Confirmation and Authentication in the Right Places,” I talked about how organizations are de-emphasizing authentication in favor of confirmation to create a better, more natural user experience. 

This time around, I’m turning my attention to access control and why it’s important for transactional applications to streamline this process in order to create the best possible user experience. Access control boils down to this: Is a particular individual authorized to access a resource, and can they delegate a proxy to access that resource?

Why users need and want to delegate access

Here’s a personal example where not providing a user with the ability to delegate a proxy can get things into an unpleasant tangle. Several years back, when my job required a lot of overseas travel, I hired a bookkeeping service to attend to my personal accounting and pay all my bills. Every month, my bookkeeper would log onto the website of a particular credit card I had and pay my bill. And, without fail, the credit card company would lock the credit card because it observed what looked like suspicious activity. My bookkeeper was logging into their site from her location in the U.S., and I happened to be using the credit card to pay for things in Germany. The credit company logically concluded the card had been stolen, so they blocked the account. Was it a sensible and secure measure? Yes. Did it interfere with the user experience and cause a lot of frustration? A resounding yes! And the result? I cancelled the credit card. 

You can see why the concept of allowing users to assign one or more secondary authorized users makes a great deal of sense. When we consider financial services or healthcare, for example, it’s perfectly reasonable for an elderly parent to delegate their adult child to go to the pharmacy to pick up their prescriptions for them or manage their bank accounts.

In fact, the idea of giving access to people designated by the primary user is being used in many scenarios we’re already familiar with, such as family plans for mobile phones and bank accounts. These are all valid situations where we want delegation. And most of us are accustomed to sharing or delegating access to a group of people in Google Docs, for example. 

Beyond delegating to people, we’re also increasingly delegating authority to things, like Amazon Echo and Google Home. 

Let’s push that envelope even more by imagining a scenario where I own a self-driving car that becomes an Uber vehicle that picks up and drops off passengers while I’m at work. A number of interesting questions arise. When the automobile starts running low on gas, who will validate the credit card when the car needs a fill-up? Will the credit card company end up sending me a text message with an alert while I’m busy at the office? And what happens to the poor passenger, who is at the mercy of the credit card company approving the transaction for the driverless vehicle? 

So we can see that today, and even more so in the future, multiple identities may need to be involved in a transaction. 

Move over, MFA. Enter UMA.

As more organizations start to embrace the notion of delegation, there are some things they need to keep in mind. More often than not, the authorized users are geographically separated, they are likely to be using different types of devices, and one or more may or may not even be connected at any given time. 

Many applications currently rely on traditional means of verifying identity, like multi-factor authentication (MFA). But if MFA is their answer to security, they are making the delegation process much harder. 

This is where advanced technologies like user-managed access (UMA) can help customers and employees determine and control who can have access to their resources, for how long, and under what circumstances. And, of course, UMA can help optimize the user experience. It doesn’t have to be complicated. There are solutions available today that provide a convenient central console for organizing digital resources that reside in many locations (for example, where we save our credit card information on various sites), delegating access to others, and monitoring and revoking access. 

UMA is a great way for organizations to give users what they want and need, hassle-free, while providing privacy controls that meet compliance requirements and build trust with customers.

Curious about UMA? Find out how ForgeRock does it. 

Create Better User Experiences by Applying Confirmation and Authentication in the Right Places


Let’s face it, no one wakes up in the morning and jumps out of bed looking forward to going to the login page. For a long time, authentication has been something we’ve been forced to do on the way to doing what we really intend to do. 

This begs the question: Are applications, in fact, negatively impacting the user experience by requiring users to go through the painful and lengthy process of signing in before they actually get on with the task at hand – whether it’s making a purchase or depositing money into a bank account?

From my perspective, the answer is yes. Fortunately, there’s a movement afoot to de-emphasize authentication in favor of confirmation. 

When does authentication matter? 

Let’s examine some typical transactions. When a user engages in a transaction online, there is a whole set of actions they take with varying levels of assurance about their identity at every step. As the user moves closer and closer to an action that has consequences, businesses and other organizations need to look at the actions in the sequence and ask: “How important is it for us to know who that person is, and how confident are we that we know who is involved in the transaction?” 

The answer is that it all depends. In many cases, the identity of the person performing an action hardly matters at all. Let’s say you’re paying a traffic ticket online. Does your municipality really care about who pays the ticket? You do, of course, because you don’t want your car impounded, but all that matters to your city or county is that they receive the money in one form or another.

Similarly, when you purchase an item online, the e-commerce company is primarily concerned that the method of payment is valid and appropriately approved. They really don’t care who is buying that toaster, hair dryer, or eBook. 

Financial services organizations have also realized that multi-factor authentication is not required for every single online interaction. For example, when it comes to mobile apps, many banks are now giving their customers the option to automatically see their account balance on the “Hello” page. Banks know that displaying this information isn’t really risky until the user wants to do something, and, at that point, the user needs to authenticate with a password, face ID, or thumbprint. 

Here’s an example where the need for authentication was questionable. Recently, there was a mandate that U.S. government agencies were required to use Level 3 authentication (two-factor authentication). The Department of Labor decided to do an analysis of the resources they made available online and discovered that this level of authentication was completely unnecessary because many of the documents were public access information. In the physical world, you could simply walk into one of their offices and pick up the hard-copies. So they questioned why they made it onerous for the user to get those documents online and made some changes to simplify access.

In other instances, authentication does matter at the outset. For example, when an individual flies home from a foreign destination, it’s important to make sure the person who is entering the country is really who they say they are.

And there are times when applications call for occasional authentication. But if not handled properly, that can break the user experience if the authentication request comes at an inopportune moment. Mobile payment apps are really convenient for paying toll charges while you’re driving, but what if the app asks you for your password when you’re at the toll booth? And what if that password is in a password manager on your laptop – which you left at home? 

So the lesson here is to evaluate whether and when you really need authentication. All these real-world examples underscore the notion that validation for various transactions and activities require different levels of assurance. But I do believe that the general approach organizations can take for most applications is this: if they feel fairly comfortable about who the user is, they don’t have to get in their way. If they do the job of knowing who the user is really, really well, then they should be able to reach a point where the user isn’t even aware that this is happening. The process of going to the login page should be almost invisible. In fact, there probably isn’t even a login page!

By using confirmation rather than authentication where it makes sense, the user experience becomes more natural, more like the real world. When you go into a department store, you load up your shopping cart, and then, when you get to the checkout counter, you are asked to show that you can pay for the merchandise. And most of us feel okay about that. It’s a quid pro quo transaction – you’re expected to produce a valid form of payment and ID, and you receive something in turn. 

Amazon is a master at this. After you’ve shopped at Amazon a few times, you don’t get asked for any form of authentication. For Amazon, it’s far more important to show you merchandise that you may want to buy. When you’re ready to purchase, you just add to cart and place your order. If the item is pricey, Amazon does have certain paths to identity authentication. It’s obvious that Amazon is very cognizant of where the consequential actions are being made – and where certain levels of assurance should be applied. 

It really comes down to this: as long as it’s a recognizable device and browser doing things that the user normally does, we can be somewhat confident that the user is who they say they are or who we think they are. Where there are transactions of consequence, they can verify that this transaction is being performed with appropriate authorization.

If an organization’s goal is to retain customers and acquire new ones, it wants to make things as easy as possible for them so they’ll keep coming back. Maybe it’s time to rethink how to handle authentication in applications. Where does it truly matter, and where is confirmation sufficient? When the right balance is achieved, users will be happier and more loyal. And that just makes good business sense. 

Click here to learn how to deliver exceptional login journeys for your customers. 

Stay tuned for my next blog on “User-Managed Access and Everyday Experiences.”

Cloud Series: Design And Adjust Complex User Journeys Across All Your Digital Channels


One of ForgeRock’s most popular features, authentication trees (also known as Intelligent Authentication), is even better in ForgeRock Identity Cloud. With our improved graphical authentication trees in the cloud, you can now construct a variety of complex ways for your users to login. Your users can be given the flexibility to choose the most convenient authentication method based on geography, device type, biometrics, and more. A simple and streamlined customer/user onboarding process, for example, can reduce the cost of acquisition, lower support effort, and improve overall customer experience. 

Intelligent Authentication allows for the creation of dynamic and personalized user flows by providing easy and intuitive drag-and-drop capabilities. That way, you can design and adjust user journeys for registration, authentication, and self-service to satisfy user populations across all your digital channels in one user interface. And, by partitioning off small segments of users, you can further innovate and create safe new ways to login with all the analytics you need to test your A/B testing hypothesis.

Intelligent Authentication 

Intelligent Authentication’s access orchestration enables you to:

  • Quickly consume out-of-the-box authenticators, use existing authenticators, integrate with cybersecurity solutions, and create custom authenticators.
  • Visually design user journeys for your workforce and consumers with an intuitive interface that makes it easy to create a variety of security and risk profiles. 
  • Easily configure, measure, and adjust login journeys using digital signals, including device, contextual, behavioral, user choice, analytics, and risk-based factors. 
  • Leverage user login analytics to increase user adoption rates and improve the customer experience.
  • Automatically redirect suspicious users for further monitoring.


  Combined Capabilities 

With Identity Cloud, we’ve provided more powerful combined capabilities in an interface that supports agility and rapid integration. Authentication trees, which are made up of authentication nodes, define actions taken during authentication. Each node performs a single task during authentication – for example, collecting a username or making a simple decision based on a cookie. Simplified configuration also ensures that relevant compliance steps are included and the user's preferences are accurately recorded. Intelligent and, therefore, frictionless, approaches to enriching customer data can assist in building a cleaner, more detailed view of the customer across multiple channels




With Identity Cloud, you have the capability to build registration trees. This combines the flexibility of our Intelligent Authentication trees with the power of our Identity Management solution to build rich and powerful registration flows alongside authentication and self service within one interface.


With this release, you can build password and username reset flows alongside your authentication flows. 


  AB Testing 

A new feature allows you to partition off a set of users. Use this to find the best way to map and further fine-tune user journeys.


New SDK support is available for the username, password, KBA, and terms and conditions nodes. This allows for better time-to-value when embedding registration tree capabilities into your native mobile and web apps.

Provide More Value to Your Users 

By providing a large number and variety of authentication options (including future platform capabilities), Forgerock helps businesses create sustainable solutions that adapt to changing user preferences and or client/device technologies. This level of flexibility can be accommodated while also being both aligned to and compliant with both company and, where relevant, regulatory policies. And users are able to maintain their chosen authentication method using a self-service approach, based on their own changing needs. Authentication approaches can further be optimized and modified based on this data, to remove complexity as well as fine-tune user journeys and experience.

While you may be running an earlier version of ForgeRock Identity Platform and/or cannot easily upgrade to take advantage of the authentication trees available in version 6.0+, with Identity Cloud, you will be able to take advantage of the authentication trees today, while you coexist on premises and in the cloud, progressively moving off your legacy system tomorrow.

Learn more about the Identity Cloud here. Or contact your sales rep today.

Best Practices for Earning Insurance Customer Loyalty

Part 1: How IAM Helps Make a Personal Connection 

Demand for exceptional, personalized customer experience is a top motivator for digital transformation for nearly every industry – and insurance is no exception. But let’s face it, knowing your users and providing personalization is no easy task. According to the Gartner “2019 Financial Services Consumer Trust Survey,” only 25% of insurers have a single view of their customers. 

Whether you're tailoring policies to fit customer lifestyles or introducing a new payment plan, you’re constantly striving to win customer loyalty and get ahead of the competition. On top of this, you need to keep up with regulatory demands and rising customer expectations for your area of specialization.

In this four-part blog series, we’ll show you how identity and access management (IAM) can drive real business value and help you provide the best coverage to as many people as possible. 

We'll start with personalization and how you can gain a single view of your consumers – the cornerstone to any viable IAM strategy.

Customer Expectations: It’s Personal 

An Accenture “2019 Global Financial Services Consumer Study” found that 64% of consumers are interested in insurance premiums that are tied to personal behavior. Car insurance premiums, for example, have traditionally taken a historical view of the driver but haven’t always reflected their current behavior. As a result, leading insurance providers are now starting to offer usage-based insurance (UBI), also known as pay as you drive (PAYD), pay how you drive (PHYD), and mileage-based auto insurance. Costs depend on the type of vehicle used measured against time, distance, behavior and place. 

This offering can be a win-win for insurers and policyholders. Linking insurance premiums to driving performance enables insurers price premiums more accurately, while policy-holders could potentially save on costs. Another reason why insurers are leaning toward UBI is to also gain market share for consumers who don’t own vehicles and want a “pay-as-you-go” model when renting vehicles. 

Health insurance providers are also seeing a rise in personalized expectations, with wearables paving the way. The global wearable devices market is expected to reach $62.82 billion by 2025, and healthcare insurers are finding opportunities with consumers willing to share personal data in exchange for value-added services. Data from fitness trackers and wearable monitors can help insurers more accurately rate a patient’s risk for illness. And patients who take preventative measures to improve their health can benefit from lower insurance premiums.

With the adoption of electronic health records (EHRs), health institutions have started to integrate device data into patient portals. And, as you can guess, the collection of this data requires aggregation of patient attributes from multiple sources to form a single view for better patient outcomes. 

The Takeaway: Personalization Starts with a Single View

Personalization offers value for both you and your policyholders and is seen as a major differentiating factor when it comes to consumers selecting a provider. But this requires seamless sharing of customer data to create continuous offers based on consumer needs – and that requires a single view of the user. 

It sounds easy, but it’s not. That’s because you likely have disparate customer data residing in multiple locations across your organization. So how can you achieve a single view of customers? A modern IAM platform enables you to orchestrate digital identities in real time, so a customer, their connected things, and all the services they use are consolidated into a single user profile. By doing so, you can improve customer experiences, save time, and increase revenue. 

Five Steps You Can Take to Gain a Single View of Users
  1. Think like your customer, and then define your go-to-market approach. Start by taking a journey-based view of customer interactions. By getting the whole picture of the customer journey from end to end and spanning multiple channels, you can build for success. Modern IAM provides your  customers with frictionless capabilities, simplifying registration anywhere and from any device, streamlining access from multiple channels/accounts, and enabling collection of personal data over time to help you tailor the user experience. 
  2. Identify consumer data sources. Chances are, you have rich consumer data residing in silos throughout multiple lines of business. Removing these silos and encouraging cross-sell activities will help overcome this challenge. Explain the value to your marketing, sales, customer service, claims, and compliance departments. Identify the data needed by each department and how they plan to use it. 
  3. Identify technology needs for interoperability. Take a look at existing technologies that have integration points into other systems. Look for gaps and for modern tools that have extensive integration and open architectures that can scale. The goal is to consolidate and synchronize user data from disparate sources, including databases, directories, files, CRMs, and social media. 
  4. Merge disparate consumer data sources. Ensure your IAM is capable of consolidating and managing customer data at scale. With a modern IAM platform, you can create a single, secure, and consolidated store of customer identities that can be synchronized automatically. A modern IAM platform can manage the identities of customers and all of their identity relationships, devices, and things to build a complete 360-degree view of customers and how they interact with your company across every channel.
  5. Involve your consumers. Through a modern IAM platform, consumers can control how they wish their identity to be managed, as well as triggering subsequent steps that relate to their decisions. Involving your users from the start will save you time and money as a result of fewer support calls. And, you’ll be confident that your data is accurate, so you can make better decisions and offer timely, personalized offerings. 

In addition to aggregating personal consumer data to personalize your offerings, regulatory requirements task you with keeping consumer data safe. In part 2 of this blog series, we’ll discuss regulatory pressures and how you can turn compliance into competitive advantage.

Can’t wait to learn more? Read Modernizing the Insurance Industry with IAM

Single Sign On (SSO) 101

The What, Why, and How for Those New to Identity and IAM

In recent months, people all over the world have been working, studying, shopping, socializing, even visiting with their doctors online from their homes more than at any other time in history. In fact, a recent Gallup poll found that the number of employed Americans who say they worked from home has doubled since mid-March 2020 to 62%. In terms of socializing and video calls, TechCrunch showcased that Facebook-owned WhatsApp saw a 40% increase in usage in March. And CNBC reports that telehealth visits increased by 50% in March, according to research from Frost and Sullivan.

With this unprecedented number of people requiring access to all sorts of apps, services, and systems remotely from their homes, the question of how to provide easy yet secure access from anywhere at scale is top of mind for organizations. This is no easy undertaking, especially when there are billions of people conducting billions of logins to apps within a single day. And for employers and educational institutions, supporting remote work requires the complex task of ensuring that employees and students have easy, secure access to all the internal work apps, services, and systems they need to do their jobs from home – which, in some cases means providing access even if the employee or student is using their own device, such as a personal computer, tablet, or mobile phone. 

What enables easy, secure online access for billions of users across the globe? Identity and access management (IAM) systems. And a core capability of IAM is single sign on (SSO)

So, what is SSO and how does it work? For this SSO 101 post, let’s start from the beginning.

The Origins of SSO 

To understand what SSO is and why it’s needed, it’s important to first know how basic, traditional access to apps, services, and systems works and what life was like before SSO. 

As you’re well aware, our lives today are filled with using different apps, services, and systems. To gain access to these and all of your personal data and information within them, such as an existing spreadsheet you’ve been working on or what you may have previously placed in your online shopping cart, you must first prove that you are indeed you. In the world of IAM lingo, proving that you are you is called ‘authentication’. 

Traditional authentication is done with username and password login credentials. When you enter your username and password, that information gets validated against a repository (such as a database, directory, or even text files) that stores your credentials. If what you typed in matches what’s in the repository, you're in. If not, try again. 

When the digital age took flight in the late 1990s and early 2000s, each app, service, and system had its own repository that stored login credentials and user data for authentication. This one-to-one ratio resulted in an enormous number of siloed repositories containing data about a single person. And when developers created a new app, they had to create a new repository along with it to store user credentials for that app — which meant that the number of repositories and silos just kept growing. 

From a user experience perspective, because each app, service, and system within an organization had its own separate credential repository, it meant you were required to login with a username and password separately to each for access. This cumbersome process created many problems. 

For example, the phrase ‘password fatigue’ was coined because users grew tired of remembering multiple usernames and passwords day in and day out. Organizations had to create policies for employees to not leave passwords written on paper and sticky notes laying out in the open in the office (for real). And every time a user forgot their credentials, they had to call IT to reset them — leading to the creation of full-time IT help desk jobs specific to password resets. Plus, and most importantly, at the time lost or stolen passwords were a top, if not the, leading cause of security breaches.

What was the solution to all of the above? Identity and access management (IAM) systems and single sign on.

What Is SSO and How Does It Work? 

Organizations understood the problems that multitudes of usernames and passwords and seperate logins presented. To address the problem, the notion of consolidating the multitudes of individual credential repositories built for each app, service, and system into one repository surfaced. In other words, a multi-to-one ratio — one master repository that stores credential and user data for multiple apps, services, and systems. Identity and access management systems and SSO were thus born.

Identity and access management and SSO solutions have a single identity repository called an identity store that contains user credentials and identity data for multiple apps, services, and systems. This is the underpinning of SSO. Because of this single identity store, users only have to login once in order to gain access to all of the apps, services, and systems associated with that identity store. In other words, SSO enables a user to access multiple applications with one set of login credentials. This means no longer having to remember (or write down) a gazillion passwords and logging into each app separately (yeah!). From this, the world was made more secure, productive, and efficient — and we’ve never looked back.

SSO Evolves to Meet New Trends, Technology, and Risks 

An important point to keep in mind here is that the SSO model explained above is its most basic form. At their inception, IAM and SSO were only used internally within a single organization and its security perimeter.

Of course, things have vastly changed since the late 1990s and early 200s. Technologies  like mobile smart devices and IoT, trends like remote working and online shopping, and cybercrime like breaches caused by fraudulent user login tactics have evolved greatly over the decades. To address these, SSO capabilities and sophistication have also evolved. 

For example, SSO must now work beyond a single organization’s perimeter to enable remote employees, third-party partners, customers, and even IoT ‘things’ access to apps, services, and systems. This requires technology called ‘federation’ and ‘federated single sign on’. We will discuss federation in our upcoming post SSO and Federation for Beginners, so stay tuned.

Updating Legacy Single Sign On with Modern SSO Capabilities 

Unfortunately, even though the world has greatly changed, most organizations still have large investments in legacy IAM and SSO systems that lack the flexibility to support today’s unique requirements and meet the surge in online demand happening currently. To address this issue, leading organizations have set forth to update their legacy IAM and SSO systems with modern, flexible IAM platforms like the ForgeRock Identity Platform. 

For example, a large global retailer with 80,000 internal identities recently had an initiative to modernize their IAM from many legacy and homegrown solutions in order to improve workforce engagement and provide SSO to both on-premises and Software-as-a-Service (SaaS) applications. They also had an aggressive strategy to move 80% to the cloud by the end of 2020. To accomplish all of the above, they needed a state-of-the-art, future-minded IAM platform that could help them achieve their goals. After evaluating five providers, this global retailer selected ForgeRock based on our ability to meet their requirements as well as support their digital transformation and cloud migration initiatives.

With platforms such as ForgeRock, organizations like the retailer above can get all of the new IAM and SSO capabilities they need quickly and cost-effectively without ripping and replacing their legacy IAM systems (such as CA Single Sign-On [SiteMinder], Oracle, IBM, and homegrown solutions). Plus, you can do it within minutes in any cloud environment for millions of identities or as a service

Again, stay tuned for our SSO and Federation for Beginners blog post explaining how federation allows external users, such as customers, single sign on access to apps, services, and systems. Until then, learn more about how to connect everyone, anywhere or contact us to get started.


Series E Funding Marks a Momentous Day at ForgeRock

CEO Perspective 


We’ve reached an important milestone at ForgeRock that puts us another step closer to becoming the most important digital identity company in the market. I’m pleased to announce that we have secured an additional $93.5 million in Series E funding from Riverwood Capital and our existing investors.

It’s a momentous day not only for our partners, investors, and employees, but also for our customers—the more than 1,100 organizations counting on us more than ever in light of the global pandemic to make their employees 100% productive and their customers happy. 

This fundraising comes on the heels of a transformational year where ForgeRock grew very quickly and crossed $100 million in ARR as we acquired over 200 new large enterprise customers. With enterprises looking to transition from legacy or point solutions to a modern identity platform for both workforce and consumer identity use cases, we are seeing accelerated growth. 

While this is a moment to celebrate, we know the best is yet to come. This additional funding will enable us to infuse every aspect of the ForgeRock Identity Platform with the power of artificial intelligence (AI) so organizations can identify the actions that move the needle in order to make better, faster decisions. This new round will also support our cloud ambitions and turbo-charge our sales, marketing, and customer success organizations to take them to the next level. 

We entered the category for digital identity in 2010. We are a leader in this fast-growing category today. We have a simple purpose that inspires our employees: help people safely and simply access the connected world. 

ForgeRock created the industry’s first AI-powered identity platform built for any deployment option. Growing ahead of industry pace, we changed the traditional identity market by introducing the most comprehensive identity platform for consumers, workforce and things.

We are backed by the best. I’d like to welcome Riverwood Capital and Accenture Ventures to our mission, as well as thank existing investors, including Accel, Meritech Capital, Foundation Capital, and KKR Growth for their continued support. ForgeRock has now raised more than $230 million in growth capital since its founding and we believe that this will be our final fundraising prior to an IPO. 

Finally, I’d like to thank our customers and partners. I know sectors like financial services, public sector, healthcare, media, and online retail are facing incredible pressures in the current climate. The ForgeRock team is prepared to step up and help keep your remote workforce productive and your customers happy as they shelter-in-place.

Thank you for your trust in ForgeRock. We are confident we have the team, the strategy, and the operational rigor to continue our successful journey and deliver for all our stakeholders. 



Cloud Series: Say Goodbye to Passwords and Usernames


If you already use passwordless authentication, then you’re going to like authentication without a username. This new capability is an extension of the FIDO 2.0 WebAuthn specification, which currently allows users to use FIDO2-compliant Security Keys. These can be external keys, such as Yubico, or in-built platform keys accessed via Touch ID or Windows Hello to authenticate instead of a password on enabled sites. The new Resident Key credential – available in both the ForgeRock Identity Platform 7.0 release and the ForgeRock Identity Cloud  – will allow users to authenticate to an enabled app or website without needing to enter a username or password.

What Is WebAuthn? 

The WebAuthn is a web standard published by the World Wide Web Consortium (W3C) and is an important part of FIDO 2.0, from the Fast Identity Online (FIDO) Alliance, whose members currently include Google, Microsoft, ARM, Bank of America, Mastercard, Visa, Microsoft, Samsung, LG, Dell, and RSA, among others. As part of W3C, WebAuthn is starting to gain wide adoption through native support within the latest Chrome, Firefox, Safari, and Edge browsers. 

Support for Resident Keys, which provides for usernameless authentication, is currently native to Chrome and Edge and will be added to other browsers soon. This expansion of the WebAuthn protocol will be part of the ForgeRock Identity Platform 7.0 and the ForgeRock Identity Cloud. It will deliver usernameless user flows, as well as device attestation, origin domains, and richer integrations into our Intelligent Authentication framework.

Easy to Use 

To start using WebAuthn, a visitor to an enabled website is offered the opportunity  to create and register a token. Sites that are enabled may prompt the user to insert the physical token into a USB port or tap against on an Android phone.  


Whenever the user returns to that website, an assertion is created that contains proof that the user created the private key. The server on the website then uses the public key created during registration against that assertion to verify the user. There is no longer a need for the user to provide a username and password to that site ever again from that device.

What Is a Resident Key? 

A Resident Key is a password-less and username-less credential that may be stored in the browser, on the user’s device, or in an authenticator. Some have suggested a better name may be a “discoverable key” because when a user returns to an enabled website, that site would then discover the lack of or presence of any keys related to the website in the user’s browser, on the user’s device, or in an authenticator. 

The user experience would be similar (although technically very different) from using single sign-on (SSO) today. A user might navigate to a login page. Instead of typing in a username or password, the user would plug in and then use an authenticator, such as an external key likeYubico or in-built platform keys accessed via TouchId or Windows Hello. The user is then logged in without the need for any further action. 

Additional Security  

Because the WebAuthn is governed by the W3C, there's more going on behind the scenes than just authentication. For example, by storing tokens on the device and not on a remote server, WebAuthn can help to provide stronger web security against phishing and man-in-the-middle attacks.

How? When a user first creates a passwordless or usernameless credential, a public key is shared with the legitimate website. If there is a phishing attack, the login process will not work; by being directed to a non-WebAuthn-enabled copy of a site, the user’s key will fail and they will be prompted to enter a username and password. This interruption of a frictionless login experience should at least alert the user that something is wrong. And by eliminating the need for users to type passwords and usernames, this should further thwart any potential password-stealing man-in-the-middle eavesdropping attacks. 

Frictionless Future 

To learn more about a passwordless future, ForgeRock’s Ben Goodman recently published  a three-part blog series, Passwordless. The series describes how mobile phone providers were the leaders in passwordless authentication, continues with a bit more detail about FIDO 2.0 and WebAuthn, and concludes with how ForgeRock’s unique implementation allows for our ever-expanding Trust Network to add a wide range of choices of biometrics and other technologies for your customers. 

Learn more about the Identity Cloud here. Or contact your sales rep today.


How Digital Experiences Will Transform the Way We Buy Our Food


The grocery retail experience we all grew up with is vanishing. With governments across the world delivering social distancing edicts and only allowing journeys out of the home strictly for critical needs – food and prescription shopping being two of them – your traditional trip down narrow aisles of food now includes new surprises like tape on shop floors directing traffic to help people stay safe and maintain social distancing.

Groceries go digital

Online ordering systems are failing around the world due to massive spikes in demand. Here in the U.K., finding an online delivery slot is becoming extremely difficult. That phenomenon is occurring globally as well. A recent poll conducted by RBC Capital Markets found that as of March, 55% of Americans polled had ordered groceries online, compared with 36% two years ago. One-third of respondents said the first time they had ever ordered groceries online was in the past 30 days. 

So what can grocers do to counteract these massive challenges and help consumers?

As a former retail and marketing strategy executive, having worked for Sainsburys and Boots, among others, I’ve been racking my brains to think about how we can keep our nation of shoppers safe when they visit our stores, how to reduce the strain on online delivery systems, how to help serve the millions of people who are clinically vulnerable, and if, existing grocery staff need to self-isolate, how you, as a retailer, can onboard new staff quickly, safely, and securely.

The answer from my perspective is a proven technology known as digital identity and access management software (known within the sector as CIAM or IAM). As with most digital capabilities, IT departments can deliver this on premises or in the cloud (via public cloud, private cloud, or a hybrid environment).

Retailers and grocers should look to expand their “click-and-collect” services, which will remove the strain and danger of shopping inside stores by diverting in-store shoppers to collecting their groceries in outside spaces or car parks. 

Now clearly, there are still logistical challenges, temperature and weather being a couple of obvious ones, as well as training the staff to support the service, but it's certainly a possible route that would reduce in-person contact. Imagine driving up to the grocery store, receiving a text message identifying you (or your partner if they have your permission to collect the groceries on your behalf), along with instructions on where to find the store’s preferred pick-up location so that the grocery staff can simply open your trunk to load your goods and off you go.  

Companies like ForgeRock make it easy for retailers to verify the identity of a customer to ensure that the right person gets their online order and to eliminate concerns about fraud.  

We can also expect that companies will see increased turnover as the rate of people being tested positive for COVID-19 grows and/or retailers rapidly hire to meet increased demand. Instacart has announced that it is hiring 300,000 more full-service shoppers due to COVID-19. Walmart, CVS, Amazon and other U.S. employers are hiring more than 800,000 to handle the crush of online shoppers who are asking for delivery service. To help keep operations running smoothly, organizations are going to need a way to onboard new staff quickly. IAM capabilities make it possible to give new employees access to relevant systems  in a matter of minutes versus days securely, while protecting company data. 

Grocers worldwide are being forced to re-examine their current systems and processes. The move to digital occurred almost two decades ago, but the current challenges are driving even greater change, globally and locally. 

If the margins from stores are greater than the online channel – due to shipping charges and handling charges in this current climate – creative new ways of fulfilling orders are desperately needed, and perhaps this is one way technology can help. 

We’re Here to Help 

With modern IAM capabilities, grocers and retailers can easily address the new demands they are facing. Getting started is simple. Contact us to start a conversation, or learn more about how to connect everyone, anywhere.


Continuously Assuring Access – Learning to Say “Yes” More

In my blog on Zero Trust (“Castles to Cities”) I promised a follow-up on CARTA.

  What is CARTA? 

Coined by Gartner, this term stands for Continuous Adaptive Risk and Trust Assessment.  

At the highest level, CARTA as a concept gives us a roadmap for taking a more dynamic and ongoing approach to securing our applications and services.

Let’s break some of these terms down. Security and risk are often looked at through three lenses: protect, detect, and respond. The continuous aspect tends to be focused on a runtime evaluation of some sort, typically involving another buzzword – that of context. The context normally refers to non-identity related signals associated with  login and access events.  

“Continuous” could be said to fall within the “protect” and “detect” buckets.

So what about “adaptive”? Adaptive falls into the “respond” section, where, based on the runtime context check, access to a particular resource is dynamically altered to fall in line with the accepted trust level. An example of adaptive access based on risk is redacting the price field within a database, as the end user has swapped a known corporate network to a public Wi-Fi.

From a design perspective, a CARTA pattern could be used to help implement a Zero Trust infrastructure.

So how does this all apply to identity and access management? 

Let’s look at two basic examples: login and resource access, typically known as authentication and authorization. During login, a CARTA model would see us collect a lot more information – data signals from internal and external systems – anything to help us understand who or what is attempting to login. Based on that runtime check, the first step in the adaptive access journey is triggered. We can start to tag the user with different labels.  

Those labels can then be used for further validations. For example, device assurance levels, network botnet likelihood, days since password change, risk of breached credentials,  and so on. The labels tend to get added to web cookies, OAuth2 access tokens, or even OpenID Connect ID tokens.

The concept makes a great deal of sense. If I log in to application X and stay logged in the entire time, how can we be sure that it’s still me accessing the app two hours later? What if I went to grab a snack and someone else is on my laptop?

If we capture more contextual information during the login event, we can effectively make more informed decisions throughout the life time of the user’s activity.

The approach with CARTA is to verify the context at frequent intervals, or at least every time the user attempts to access a resource. Much of this will be invisible to the end user, however.

A very basic version of this has been around for quite some time in web applications. Cookies get set with a time limit for the session, and, if you’re inactive for a defined period or come to the end of the session life, you get logged out. The thing is, that’s a pretty poor user experience. It would be quite rare to perform any intra-session validations. This is where CARTA can help.

Every time the cookie, session, or access tokens are being used, we then look to perform those transparent contextual validation checks. Looking for differences (remember the detect step) before responding dynamically.

So as the IAM platform is continuously evaluating changes and risk, what is happening? The system is evaluating the user/application context and comparing it to that initial authenticated state. As it does this, it is taking into account many inputs (or signals) – from the device you are using to the network you are on – and even behavioral signals that could be being compared in back-end risk systems.

But what happens when a difference is found? This is where the adaptive aspect comes into play. Traditionally, anything looking suspicious, either during login or resource access time, would typically trigger a blocking event – a clumsy step up or even the dreaded “Access Forbidden” label. End users, especially in the consumer world, demand better user experiences.

Being adaptive during the risk response process is critical to not only improving security but also improving user experience. Let’s look at an example. Say that, during login, we label a user as potentially using a network that has previously been involved in botnet activity.  Coupling that with using an outdated internet browser might result in an adaptive access response that involves increased audit logging for that event and a throttling of the number of hits that user can make against a protected resource or API.  

We’re not saying “no access,” we’re simply degrading access until the risk level reduces.

With the advent of more modern and capable security solutions in the IAM, authenticator, behavioral analytics, and risk analytics spaces – along with better hardware and new standards, such as FIDO, not to mention the all-powerful and pervasive smartphone, where a more fine-grained, less intrusive approach is possible while increasing the overall levels of protection for your applications and services.

As I explained in my previous blog, Zero Trust is the sensible approach to distributed applications/services as well as staff, but it is also pretty much the same approach we have already been taking with consumers. The convergence of employee and consumer use cases is also driving the need for a continuous approach to assuring the right people are accessing the correct resources at the right times.

In the constant arms race around securing and protecting your applications and services, taking a continuous approach to understanding and acting on risk is a key step forward. As with many examples across the identity and security space, context is vital and constant evaluation and reaction to the user’s context is the next logical step. 

When combined with modern approaches to strong authentication, risk decisioning, machine learning, and behavioral biometrics, CARTA is a way to increase your security posture while reducing user friction. The key to enabling these approaches is a combination of standards-based application development, SDKs for security, a wide catalogue of integrations to external signal generators and authenticators, and the engine to orchestrate it all together. For a deeper look at this, check out this webinar.


ForgeRock Achieves Highest Overall Ratings (4.6 out of 5) in Identity Governance and Administration

The ForgeRock team is excited to announce that we have achieved the highest Overall Ratings (4.6 out 5 based on 12 reviews as of 31st January 2020) in the  2020 Gartner Peer Insights “Voice of the Customer” research for Identity Governance and Administration (IGA)

Gartner defines IGA as a collection of functionality that includes identity lifecycle, workflow, entitlement management, policy and role management, reporting and analytics, auditing, access certification, and access requests. The ForgeRock Identity Platform covers the entire list. Today, ForgeRock Identity Governance is fully accessible and has been deployed successfully by many of our customers.

We believe “Gartner Peer Insights” is a recognition of vendors in this market by verified end-user professionals. To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate. 

Our team at ForgeRock takes great pride in this distinction, as customer success is one of our core values. Customer feedback is how we continuously improve our products and services. 

Here are some excerpts from customers that contributed to ForgeRock receiving this score:

  • “ForgeRock serves as a one-stop shop for all identity and access management lifecycle needs. It offers a suite of modules that ease the management process in a big way.”
    —A VP, Finance Industry
  • “We are very happy with ForgeRock IDM, heavily leveraging its REST capabilities for integration in our portal landscape.”
    —Identity Architect, Education Industry
  • “This is a great innovative product. The tools provided are very helpful and make it easy to use and manage.”
    —IT Manager, Media Industry

ForgeRock’s focus on customer satisfaction is built into our company. Whether it is our exceptional Global Support Services team working 24/7 to resolve customer issues or our Deployment Support Services team dedicated to ensuring customer success, we are laser focused on making our customers successful. 

To all of our customers who submitted reviews, thank you! These reviews help shape our products and we look forward to building on the experience that earned us this distinction!  

If you have a great ForgeRock story to share, we encourage you to join the Gartner Peer Insights crowd and weigh in. For Access Management please use this link and for IGA please use this link.

Stay tuned for our upcoming blog series on governance trends. Meanwhile, feel free to reach out to start a conversation about any one of our products. We’re here to serve.


Gartner Peer Insights reviews constitute the subjective opinions of individual end users based on their own experiences and do not represent the views of Gartner or its affiliates.

Gartner, Gartner Peer Insights ‘Voice of the Customer’: Identity Governance and Administration, 23 March 2020, Peers 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


ForgeRock Helps Utah Save Taxpayers $15 Million and Offer a Safer, More Enhanced Online Experience

When the time was ripe for digital transformation, leaders in the State of Utah responded without hesitation. Taking notice that citizens everywhere were fully embracing the internet-powered world, the State of Utah was looking to achieve three goals: make it easier for its constituents to access government services securely, simplify identity management, and save taxpayers money. 

Offering more online services to citizens made sense to stakeholders in so many ways. The cost of each online transaction would be about $14 less than each over-the-counter transaction. And, beyond the cost savings to the state, more online services would mean greater convenience for citizens. For instance, residents could quickly and easily pay for parking tickets online. 

Living up to the state’s motto of “Industry” (represented by a beehive), the state government went to work on migrating many of its services online. But, as time went on, significant issues with the state’s initial identity management system started to emerge. As more and more online services were added, securely managing digital identities for all users, devices, and connected things became a challenge that Utah’s legacy solution couldn’t handle. Additionally, frequent outages resulted in access issues, especially for cloud-based services. And, perhaps most importantly, insufficient access security put users’ data at risk and could potentially mean violation of federal compliance mandates.

By implementing the ForgeRock Identity Platform, the State of Utah put all these concerns to rest. Here’s how:

  • Scalability: ForgeRock’s solution enables the state government to manage nearly two million internal and external digital identities – with the oversight of just one dedicated engineer.
  • Efficiency: Multiple interfaces enable integration of a broad spectrum of applications and services – including cloud-based services like ServiceNow and Google Drive. The state successfully integrated more than 900 applications and online services into the ForgeRock environment.
  • Security: Through multi-factor authentication (MFA), omnichannel privacy, and other security measures, the State of Utah can keep the sensitive data of internal and external users protected from breaches and other advanced threats. ForgeRock also empowers citizens to control the type of information they consent to share with the state. This makes for a better and safe user experience online while helping the state adhere to compliance requirements. 

Utah can now proudly say, “Mission accomplished.” The state government has met every one of its goals. It now delivers services faster and more cost-effectively – saving taxpayers USD$15 million – thanks to the ForgeRock Identity Platform. 

If Utah can do it, so can you.