ForgeRock Workforce & Business Partner Identity Cloud Licensing Guide
Ping Advanced Identity Cloud licensing guide is designed to help MAEs and SAs understand the Workforce Advanced ID Cloud, annual subscription model. We offer 6 Workforce Identity Cloud packages to meet the wide range of our customer’s requirements. Pricing is based on the specific cloud packages purchased. All customers purchase the Identity Cloud Workforce Core package and can then add on some additional packages like Access Management, Edge Security Identity Gateway, Lifecycle Automation, Enterprise Connect & IGA capabilities
About the PingOne Advanced Identity Cloud
The PingOne Advanced Identity Cloud is the market’s first comprehensive identity platform as a service. Built for organizations looking
for a comprehensive, enterprise-grade identity platform, Advanced Identity Cloud delivers usability, customizability, and operational cost
savings. It is packaged to meet your enterprise business needs. You can start your Advanced Identity Cloud journey with the Core package and add supplemental packages as needed.
Advanced Identity Cloud Workforce Core
The Advanced Identity Cloud Workforce Core package provides industry-leading technology essentials to meet the demand for superior digital experiences. The Core package is designed to solve your foundational workforce identity and access management needs. It includes the ability to quickly discover new joiners, movers, or leavers (JML) from authoritative sources like your human resources (HR) systems to determine user access privileges and centralize your user identities in the cloud. Workforce Core includes user authentication with a simple-to-use password mechanism and federation from third-party service providers to allow users to login to Advanced Identity Cloud. Workforce Core also features user self-service capabilities to reset or change their passwords, easily reducing your helpdesk service costs.
Advanced Identity Cloud Workforce Core Features:
Intelligent Access Capabilities
| Feature | Description | Documentation Link |
| Authentication Journeys and Nodes | Authentication journeys provide fine-grained authentication, social authentication, and multi-factor authentication. Journeys are made up of authentication nodes. Authentication nodes allow multiple paths and decision points throughout the authentication flow, enabling Advanced Identity Cloud to handle different modes of authenticating users. | Authentication nodes and journeys |
| Session High Availability | Persistent access management sessions, authenticating the user until the session expires. | Session high availability is enabled by default with no setup required. |
Inbound Federation Capabilities | ||
| SAML 2.0 SP | Inbound Identity federation to facilitate login from a corporate Access Management System that OIDC compliant or Active Directory | Configure IDPs, SPs, and CoTs |
| SAML 2.0 SSO and SLO | Inbound Web Single Sign-On and Single Logout profile support. | Implement SSO and SLO |
| ADFS | Inbound Federation with Active Directory Federation Services. | SAML 2.0 |
| OAuth 2.0 | Inbound OAuth 2.0 compliance for running an authorization server. | OAuth 2.0 |
Identity Lifecycle and Relationship Capabilities | ||
| Inbound Provisioning Engine | Provisioning engine to import data from an external resource into Advanced Identity Cloud. | Synchronization |
| Identity Lifecycle Management | An extensible object model that enables you to manage the complete lifecycle of identity objects. | Managed objects |
| Identity Relationship Lifecycle Management | Ability to create and track relationship references between objects. | Relationships between objects |
| Role Lifecycle Management | Provisioning roles to control how objects are exported to external systems and authorization roles to control authorization within IDM. | Roles |
| Entitlement Lifecycle Management | Entitlements to provision attributes or sets of attributes, based on role membership. | Use assignments to provision users |
| Managed Organizations | Organizations let you give users fine-grained administrative privileges to users based on hierarchical groups. | Organizations |
| Delegated Administration | Grant role-based, limited access to perform fine-grained administrative tasks on managed objects. | Delegated administration |
Identity Self Service Capabilities | ||
| User Self-Registration | End-user self-service UI that lets users create their own accounts with customizable criteria. | User self-registration |
| Password Reset | End-user self-service UI for changing and resetting passwords based on predefined policies and security questions. | Password reset |
| Knowledge-Based Authentication | Verification for user identities based on predefined and end user-created security questions. | Security questions |
| Forgotten Username | Mechanisms to allow users to recover their usernames with predefined policies. | Username recovery |
Directory Services Capabilities (Available to deploy and leverage outside of Advanced Identity Cloud) | ||
| LDAPv3 | Compliance with the latest LDAP protocol standards. | Learn LDAP |
| REST APIs | HTTP-based RESTful access to user data and server configuration. | Use HDAP |
| DSMLv2 Gateway | HTTP-based SOAP access to LDAP operations for web services. | Install a DSML gateway |
| High-Availability Multi-Master Replication | Data replication for always-on services, enabling failover and disaster recovery. | Replication |
| User/Object Store | Flexible key-value data model for storing users, devices, and things. | Learn LDAP |
| Passwords and Data Security | Password digests, encryption schemes, and customizable rules for password policy compliance to help protect data on disk and shared infrastructure. | Data encryption , Passwords |
Advanced Identity Cloud — Workforce Access Management
The Advanced Identity Cloud Access Management package provides increased security while improving user experience with capabilities, such as single sign-on (SSO) to multiple applications, as well as adaptive and multi-factor authentication (MFA). It also provides strong authentication factors, including passwordless authentication using WebAuthn, FIDO, one-time passcode (OTP), email confirmation, mobile push, or magic link. Additionally, organizations requiring more contextual and fine-grained authorization enforcement components can leverage Access Plus to enforce continuous and contextual authorization for transactions. Access Management also includes dynamic scopes and continuous risk monitoring capabilities.
Advanced Identity Cloud Workforce Access Management Features:
Intelligent Access Journeys
| Multi-Factor and Strong Authentication | Capability to challenge for additional credentials when authentication takes place under centrally-defined risky or suspicious conditions.
| Authentication |
| Web and Java Agents for SSO | Intercept requests to access protected resources and redirect for appropriate authentication. | Web Policy Agents 2023.9 and Java Policy Agents 2023.9 |
| User Login Analytics | Measure authentication flows using counters and start/stop timers to monitor performance. |
Federation
SAML 2.0 IDP and SP |
Identity federation with SaaS applications, such as Salesforce.com, Google Apps, WebEx, and many more. |
|
SAML 2.0 SSO and SLO |
Web Single Sign-On and Single Logout profile support. |
|
ADFS |
Federation with Active Directory Federation Services. |
|
SAML 2.0 Attribute and Advanced Profiles |
Support for transmitting only attributes used by targeted applications. |
|
OpenID Connect |
OpenID Connect 1.0 compliance for running an OpenID Provider, including advanced profiles, such as Mobile Connect. |
|
OAuth 2.0 |
OAuth 2.0 compliance for running an authorization server. |
Authorization Capabilities
Feature |
Description |
Documentation |
Entitlement Policies - Coarse Grained |
Modern web-based policy editor for building policies, making it possible to add and update policies based on static attributes such as group membership as needed without touching the underlying applications. |
Authorization and policy decisions - limited to “subject conditions” |
Transactional Authorization - Coarse Grained |
Requires a user to perform additional actions such as reauthenticating to a module or node, or responding to a push notification, to gain access to a protected resource based on static attributes such as group membership |
Authorize one-time access with transactional authz - limited to “subject conditions” |
|
|
|
Entitlement Policies - Fine Grained |
Modern web-based policy editor for building policies, making it possible to add and update policies based on environmental and contextual attributes as needed without touching the underlying applications. |
|
Transactional Authorization - Fine Grained |
Requires a user to perform additional actions such as reauthenticating to a module or node, or responding to a push notification, to gain access to a protected resource based on environmental and contextual attributes |
|
OAuth 2.0 Dynamic Scopes |
A single OAuth 2.0 client configured for a comprehensive list of scopes can serve different scope subsets to resource owners based on policy conditions. |
Advanced Identity Cloud Enterprise Connect (SDO)
The Enterprise Connect package delivers desktop single sign-on (SSO) and workstation multi-factor authentication (MFA) for your workforce infrastructure. With a single workforce MFA solution, you can stop credential-based attacks and provide more secure access to business apps, systems, and services. It also includes remote desktop MFA to ensure secure access for virtual and remote Windows desktops. To support your hybrid workforce, Enterprise Connect enables you to secure your VPNs and other legacy applications, such as databases and Unix/Linux servers using Radius.
Advanced Identity Cloud - Enterprise Connect Features:
Windows Workstation MFA |
Protect your endpoints by enforcing MFA on Windows machines. |
|
Windows Remote desktop MFA |
Protect your virtual Windows machines through MFA |
|
Windows Desktop SSO |
Allow end users to automatically be signed in to the Advanced Identity Cloud environment after logging into Windows |
|
Windows RADIUS proxy MFA |
Protect your organization’s tools, such as your organization’s VPN, via the Windows RADIUS proxy |
Advanced Identity Cloud — Enterprise Connect Passwordless
Advanced Identity Cloud — Edge Security Identity Gateway
The Identity Gateway package extends the security capabilities of PingOne Advanced Identity Cloud to legacy applications on-premises and to modern microservices running in the cloud. Identity Gateway enables Advanced Identity Cloud to coexist with legacy IAM solutions and augment legacy or home-grown applications with modern IAM capabilities, giving you time to execute on your cloud migration and security strategy. Ping Identity Gateway includes capabilities to create a secure perimeter for modern API traffic and microservices.
Advanced Identity Cloud Edge Security Identity Gateway Features:
Identity Gateway Capabilities
| Studio | User interface for rapid development and prototyping. | IG Studio |
| Single Sign-On | Single sign-on in a single domain and across domains. | Single sign-on with OpenID Connect and Cross-domain single sign-on |
| Password Replay | Secure replay of credentials to legacy applications or APIs. | Password replay from AM , Password replay from a database and Password replay from a file |
| Policy Enforcement | Enforcement of centralized authorization policies for applications requiring Access Management. | Policy enforcement |
| Federation | OpenID Connect 1.0. | OpenID Connect |
| OAuth 2.0. | IG as an OAuth 2.0 resource server | |
| SAML 2.0. | Acting As a SAML 2.0 Service Provider | |
| SAML resources for mobile applications. | Transform OpenID Connect ID tokens into SAML assertions | |
| Finance APIs | Support for OAuth 2.0 Mutual TLS and Financial-Grade APIs. | Validate certificate-bound access tokens and FapiInteractionIdFilter |
| WebSocket Protocol | Detection of requests to upgrade from HTTPS to the WebSocket protocol, and creation of a secure, dedicated tunnel to send and receive WebSocket traffic. | WebSocket traffic |
| Throttling | Throttling to limit access to protected applications. | Throttling |
Advanced Identity Cloud --Lifecycle Automation
The Lifecycle Automation package includes a full-featured outbound provisioning and deprovisioning engine with bi-directional synchronization. Lifecycle Automation reconciles application accounts seamlessly to ensure that user identity data, including passwords, are always up to date. It ensures that you have a secure application environment where all identity data is consistent across all systems. Lifecycle Automation also includes password synchronization plugins for Active Directory (AD) and an LDAP server (including Ping Directory Services) to ensure uniform password changes across all identity repositories. Lifecycle Automation also enables you to easily move from an existing on-premises service to Advanced Identity Cloud by providing pass-through authentication that validates passwords with a remote service along with the ability to migrate user identity as part of the authentication (just-in-time migration).
Advanced Identity Cloud Lifecycle Automation Features:
Discovery and Synchronization |
Synchronization of identity data across managed data stores. |
|
Reconciliation |
Alignment between accounts across managed data stores. |
|
Password Synchronization |
Near real-time password synchronization across managed data stores. |
|
Directory Services and Active Directory Plugins |
Native password synchronization plugins for Ping Directory Services and Microsoft Active Directory. |
Synchronize passwords with DS , Synchronize passwords with Active Directory |
All Connectors |
Extensible interoperability for identity, compliance, and risk management across a variety of specific applications and services. |
|
Pass-through Authentication / Just In Time MIgration |
Authenticate and/or migrate identities from External Data Stores (Directories, Databases, etc) |
Advanced Identity Cloud - Workforce Access Certifications
The Access Certifications package enables organizations to perform periodic access certifications or access reviews to ensure continuous compliance, least-privileged access, and a Zero Trust security model. Certifications can also be generated ad-hoc when there is an organizational transformation or when a user changes roles to ensure that the access levels are still appropriate. When combined with Autonomous Identity, Access Certifications can accelerate manager access decision making with high-initiative access review campaigns embedded with AI-determined access recommendations and confidence scores.
Advanced Identity Cloud - Workforce Access Certifications Features:
Identity Certification |
Delivers the ability to review all applications a user has access to and then certify, certify for a period of time, or revoke access to applications on an individual basis. |
Entitlement Certification* |
Delivers the ability to review and then certify or revoke the amount of access an end user has to an application based on their specific entitlement to enforce least privilege access. |
Entitlement Metadata Certification* |
Allows entitlement owners to review and certify that the description of the entitlement is an accurate and sufficient description of the access granted by the entitlement. |
Role Definition Certification* |
Delivers the ability for role owners to review and certify the entitlements (permissions or other roles), the description, membership rules and other information about the role to make sure it is still accurate for the needs of the organization. |
Role Membership Certification* |
Allows reviewers to review and then certify or revoke an end user’s membership in a specific role. |
Application Certification* |
Delivers the ability to review all users who have access to an application and then certify or revoke access to the application on an individual basis. |
Advanced Identity Cloud - Workforce Access Request
The Access Request package empowers users with a 24/7 self-service access request portal along with an access request catalog. This package provides application owners or user managers an easy-to-use approval inbox to review all of the requests waiting for approval. When combined with Autonomous Identity, Access Request can provide recommendations on what application(s) users should or should not have access to.
Advanced Identity Cloud - Workforce Access Request Features
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Advanced Identity Cloud - Workforce Identity Workflow
The Identity Workflow package automates the identity lifecycle processes with pre-configured, no-code identity orchestration workflow templates. The identity workflows enable you to quickly tailor activities such as user requests, approvals, escalations, and integrations to external systems. This package eliminates manual, error-prone processes and custom coding with a drag-and-drop graphical editor to rapidly design and personalize workflows to fit your business needs.
Advanced Identity Cloud - Workforce Identity Workflow Features
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Advanced Identity Cloud - Workforce Segregation of Duties
The Segregation of Duties (SoD) package enables least-privileged access security and a Zero Trust security model by applying and enforcing separation of duties. These SoD checks can be performed as preventive and detective checks to ensure security best practices and compliance with internal controls and regulations. The preventive controls can be enforced during user access requests so that a user cannot request roles or entitlements that conflict with something they already have. The detective controls can be evaluated ad-hoc or during certification to identify rogue accounts and inappropriate user access.
Advanced Identity Cloud - Workforce Segregation of Duties Features:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|