Continuous and Contextual Authorization

Modern Web Protection

Today’s web applications require flexible and extensible coarse-grained access control to allow access to those who need it, when they need it, and on the devices of their choice. ForgeRock Access Management provides web application protection capabilities for both consumers and your workforce. 

Our powerful centralized policy decision point (PDP) and design console allow you to create detailed policies for specific user groups, permissions, environments, and contextual conditions, such as time, location, IP address and more. Access Management is easily extensible to cover today’s massive array of intelligence sources so you can make more informed access control decisions. Enforce policies with next-generation policy agents for Apache, nginx, and Java, along with Identity Gateway-based protection for a zero-effort deployment. Alternatively, native application calls using our powerful REST/JSON-based API allow coverage for every resource in your environment.

Fine-Grained Authorization and IoT

You can use the ForgeRock Access Management policy engine to protect custom and non-HTTP-based resources, such as objects, data, and Internet of Things (IoT) components. With the simple-to-use design console, you can easily create custom resource types to map to things you need to protect. You can associate any action with any resource — such as “open” and “close” for a door or “on” and “off” for lights — and you’re done. You can easily map the action to the appropriate users with your environmental and contextual conditions and create a simple, yet powerful, object-based protection system. The authorization policies can be enforced via our powerful REST API or our intelligent Identity Gateway to allow for rapid integration with no changes to the underlying system.

Standards-Based Authorization Using OAuth 2.0

Modern applications, APIs, and microservices require modern standards-based approaches to authorization. ForgeRock Access Management platform is a leader in providing OAuth2 and OIDC provider and relying party (RP) capabilities. Whether issuing stateful or stateless JWT-based tokens, ForgeRock Access Management provides a range of out-of-the-box and easily customizable flows and capabilities to protect APIs and microservices at scale. 

Capabilities such as Mutual TLS (mTLS), Client-Initiated Back Channel (CIBA), and Customizable Access Tokens provide banking-grade security and flexibility. Smarter OpenID Connect (OIDC) identity tokens with customizable claims scripting provide functionality above and beyond standard token issuance. Application designers can leverage the out-of-the-box capabilities of ForgeRock Identity Gateway to turn any legacy application into an OAuth 2.0-compliant application for simple and scalable standards-based authorization.

CARTA and Zero Trust Architecture

The ForgeRock Access Management platform provides a rich array of capabilities for developing modern Zero Trust authorization architectures. Application designers traditionally depended on risk analysis from networks to mitigate security issues. This was very limiting and did not capture all the context. With the ForgeRock Access Management platform, you can combine identity and device information by leveraging the ability to capture user and device context during login and at every transaction level, if needed, and respond to contextual changes. Leveraging ForgeRock Intelligence Authentication trees, you can store, verify, and assess a wide variety of contextual information to make better and more informed decisions on risk.

ForgeRock Intelligent Access is the starting point for any CARTA or Zero Trust journey, where internal, external, identity, and device context is captured and stored. This is done either in the identity store or as ephemeral session properties, where the context can be baked into web tokens, OAuth2 access tokens, or OIDC identity tokens. During token use, the context is recreated and compared to context during login, allowing you to make access alterations dynamically. Any contextual changes can result in automatic throttling, data redaction, or access denial.

Open and Extensible Authorization

You can augment the ForgeRock Authorization platform to meet the most unusual and demanding use cases. No matter how flexible and powerful the authorization engine, there will always be situations where you need the capacity to extend beyond out-of-the-box functionality. The ForgeRock Platform has the extension points you require — whether you need to plug in custom policy conditions, deliver additional entitlements and response data, or add additional fields and claims into OAuth2 Access Tokens and OpenID Connect identity tokens.