what is forge rock

8/17/2019 What is Forge Rock

1/18

W H A T I S F

O R G E

R O C K ?

H O W

D O E S

I T

I M P

A C T

M E ?

Paul Dunham

TriNet March 2!"


2/18

FORGEROCK PRO#ECT GOA$S

• Passport users will see nothing diferent. This change

is 100% transparent to our users.• Replace current HRPassport security with a more

secure industry standard technology

• Pave the way or easy

• I%entit& mana'ement

• inte'rati(n () TriNet *ran%+• Sin'le Si'n,(n -SSO.

• Inte'rati(n /ith (ther +&+tem+


3/18

WHAT IS FORGEROCK?

ForgeRoc is a company that provides service and

support or the !"pen #dentity $tac htt01)(r'er(c34c(m

The "pen #dentity $tac is open source identitymanagement sotware supported &y a large

community o sotware and security companies

"pen #dentity $tac is light weight' scala&le and secure

http://forgerock.com/http://forgerock.com/


4/18

WHAT IS IDENTIT5 MANAGEMENT?

#dentity (anagement )#*(+ is a set o tools used to

manage all the users and passwords in our systemProvides us with tools to manage,

Authenticati(n -l('in.

Pa++/(r% -chan'e6 e70ire6 %i+a8le6 re+et.

9+er I%entit& %ata encr&0ti(n

Sin'le Si'n On -t( (ther TriNet *ran%+ an% t( (therC(m0anie+.

-We are n(t u+in' IDM )(r Auth(ri:ati(n at thi+ time.


5/18

WH5 DO WE NEED IT?

Tri-et is growing. s we grow we need the a&ility to

integrate new companies and new products /uicly andsecurely using industry standards.

#*( gives us a mechanism or managing all user identities

One t((l )(r all 8ran%+ an% 0r(%uct+

Ea+& t( im0lement Secure

Scala8le

Stan%ar%+ 8a+e%

Cr(++ 0lat)(rm


6/18

WHERE ARE WE STARTING?

The rst phase o the ForgeRoc implementation in Tri-et is to

replace the login mechanism in HR Passport.

HR Passport uses $eeer to login' validate users andpasswords. ll user and password inormation is stored inthe HP "racle data&ase

ith the new #*( all login credential inormation will &estored on the #*( 2*P servers.

-o other systems' &rands or data are &eing changed or phaseone.


7/18

See3er Se++i(nMana'ement

M(8ileGate/a

&

TriNetGate/a

&

See3er$('in Pa'e

See3er ASP

See3erASPA00+

SenchaA00+

M(8ile A00

Oracle HR

Data8a+e

3eore F(r'eR(c3 IDMInte'rati(n

$eeer 0er)(rm+ all l('inan% +e++i(n mana'ement


8/18

Oracle HR

Data8a+e

See3er Se++i(n

Mana'ement

M(8ileGate/a

&

TriNetGate/a

&See3er

ASP

See3erASPA00+

SenchaA00+

M(8ile A00

TriNet

Auth

F(r'eR(c3 HRPa++0(rt $('in

Pa'e

C(m0ati8ilit&$a&er

F(r'eR(c3IDM %8

ter F(r'eR(c3 IDM Inte'rati(n

Policy gentinterce0t+ all re;ue+t+

re%irectin' t( l('in 0a'e a+ nee%e% an%

F(r'eR(c3 P(lic& A'ent


9/18

WHAT IS TRINET A9TH

Tri-et uth is a we& service' developed &y the Tri-et e& $ervices Team' thatprovides access to authentication' session management and identity

management.

• $ign on

• $ign of

• 4hange password

• 5na&le 6 *isa&le account

• 7alidate uth Toen

• 8et user identity rom uth Toen

• 5.g. mo&ilegateway now calls Tri-et uth to signon users instead o calling$eeer.

• 5.g. $eeer calls Tri-et uth to change passwords' ena&le 6 disa&leaccounts.


10/18

4 $('in 0a'e create+ TriNetAuthC((3iean% >2+ 8r(/+er t( HRPa++0(rt 0a'e

"4 See3er u+e+ TriNetAuthC((3ie t( ;uer&

TriNetAuth4/ar )(r the EMP$ID TriNetAuthC((3ie

> TriNetAuthC((3ie

> TriNetAuthC((3ie

@

TriNetAuth

F(r'eR(c3IDM %8

" T r i Ne tA u

t h C(( 3 ie

? E M P $ I D

? E M P $

I D

y 4oncept1 9+er I%entit& -EMP$ID.derived )r(m theiNetAuthC((3ie6 not 0a++e% 8&e We8 *r(/+er4

https://www.hrpassport.com/https://www.hrpassport.com/


11/18

2+ t( F(r'e R(c3 l('in0a'e

>4 $('in 0a'e create+ TriNetAuthC((3iean% >2+ 8r(/+er t( HRPa++0(rt 0a'e

"4 We8$('ic u+e+ TriNetAuthC((3ie t(

;uer& TriNetAuth4/ar )(r the EMP$ID TriNetAuthC((3ie

> TriNetAuthC((3ie

> TriNetAuthC((3ie

@

TriNetAuth

F(r'eR(c3IDM %8

" T r i Ne tA u

t h C(( 3 ie

? E M P $ I D

? E M P $

I D

y 4oncept1 9+er I%entit& -EMP$ID.derived )r(m theiNetAuthC((3ie6 not 0a++e% 8&e We8 *r(/+er4

https://www.hrpassport.com/https://www.hrpassport.com/


12/18

WI$$ THE RO$$O9T IMPACT M5 PRO#ECT?

• Rolling out the code or ForgeRoc is no diferent than that

o any other pro:ect we move through the $*42 process.

• There is only impact i &oth pro:ects are modiying the samecode at the same time.

•

4on;icts are resolved using the normal priority and gitmerge mechanisms.


13/18

WHERE IS FORGEROCK

ForgeRoc is currently installed on,

• 4omplete < *ev

• 4omplete < $tage$ < 4omplete

• 4omplete < 43 )=5+ < 4omplete

• 4omplete < $tageR )>T+ < 4omplete

• (ay 1?th < Production

• (ay 1@th < 2iteR' *emo' 4' >T' T2*ev

• (ay 1Ath < =53' =54' 3#' 3#3' 2ite$

• (ay B0th < #T*ev' #T=


14/18

WHAT IS NEBT?

$u&se/uent phases will involve

• 5liminating the T$5$$#"-#* concept rom our applications• 4onverting other &rands to use Tri-et uth and ForgeRoc

#*(

• $witching $$" rom Ping Federated $$" to ForgeRoc $$"

• 5na&ling deep lining into HRPassport.

*ates and phases are not yet dened.


15/18

HOW DO I INTEGRATE WITH FORGEROCK Thin o ForgeRoc as a rewall. -o HTTP)s+ re/uests get &y ForgeRoc without a

Tri-etuth4ooie. # there is no cooie' ForgeRoc will display the login page'veriy the userCs credentials' create the Tri-etuth4ooie and resu&mit theoriginal HTTP)s+ re/uest with the cooie attached.

"nce the re/uest reaches your application you use the Tri-et uth we& servicesto get inormation a&out the logged in user rom the Tri-etuth4ooie. 5.g.

• 85Thttps,66gateway.hrpassport.com6trinetuth6services6v1.06authentication6guidD

toenETri-etuth4ooie 7alueG• Return+ the G9ID )(r the l(''e% in u+er

• GET htt0+1'ate/a&4hr0a++0(rt4c(mtrinetAuth+er=ice+=!4authenticati(nu+erG9ID

• Return+ the in)(rmati(n a8(ut the u+er1 Em0li%6 cu+t(mi%6 r+t6 mi%%le la+t name+4

There is no need to validate the Tri-etuth4ooie &ecause the HTTP re/uest willnot reach your application with out a valid Tri-etuth4ooie.


16/18

THERE ARE DIFFERENT TRINETA9THCOOKIES5ach environment has its own Tri-etuth4ooie name.

•

*ev Tri-etuth4ooie*57• $tage$< Tri-etuth4ooie$$

• 43< Tri-etuth4ooie43

• $tageR< Tri-etuth4ooie$R

• 4< Tri-etuth4ooie4

•

Prod < Tri-etuth4ooie

• 3e sure to mae your use o the Tri-etuth4ooie name acongura&le property in your application. The name is diferentin diferent environments and the name may change in the utureas we integrate with other systems.


17/18

DOC9MENT REFERENCES

• Turn "ver documents

• ForgeRoc Page on 4on;uence• htt0+1c(nuence4trinet,%e=(0+4c(m%i+0la&FRF(r'eR(c3

• This presentation

• htt0+1c(nuence4trinet,%e=(0+4c(m%i+0la&+ecurit&Whati+F(r'eR(c3,Pre+entati(n

• Tri-et uth P# documentation

• htt0+1c(nuence4trinet,%e=(0+4c(m%i+0la&FRtrinetAuthAPID(cumentati(n

https://confluence.trinet-devops.com/display/FR/ForgeRockhttps://confluence.trinet-devops.com/display/security/What+is+ForgeRock+-+Presentationhttps://confluence.trinet-devops.com/display/security/What+is+ForgeRock+-+Presentationhttps://confluence.trinet-devops.com/display/security/What+is+ForgeRock+-+Presentationhttps://confluence.trinet-devops.com/display/security/What+is+ForgeRock+-+Presentationhttps://confluence.trinet-devops.com/display/FR/ForgeRockhttps://confluence.trinet-devops.com/display/FR/ForgeRockhttps://confluence.trinet-devops.com/display/FR/ForgeRock


18/18

9ESTIONS?

what is forge rock

Documents