ForgeRock Directory Services 7.2 has been released

ForgeRock Directory Services 7.2 was and will be the last release of ForgeRock products that I’ve managed. It was finished when I left the company and was released to the public a few days after. Before I dive into the changes available in this release, I’d like to thank the amazing team that produced this version, from the whole Engineering team led by Matt Swift, to the Quality engineering led by Carole Forel, the best and only technical writer Mark Craig, and also our sustaining engineer Chris Ridd who contributed some important fixes to existing customers. You all rock and I’ve really appreciated working with you all these years.

So what’s new and exciting in DS 7.2?

First, this version introduces a new type of index: Big Index. This type of index is to be used to optimize search queries that are expecting to return a large number of results among an even much larger number of entries. For example, if you have an application that searches for all users in the USA that live in a specific state. In a population of hundreds of millions users, you may have millions that live in one particular state (let’s say Ohio). With previous versions, searching for all users in Ohio would be unindexed and the search if allowed would scan the whole directory data to identify the ones in Ohio. With 7.2, the state attribute can be indexed as a Big Index, and the same search query would be considered as indexed, only going through the reduced set of users with that have Ohio as the value for the state attribute.

Big Indexes can have a lesser impact on write performances than regular indexes, but they tend to have a higher on disk footprint. As usual, choosing to use a Big Index type is a matter of trade-of between read and write performances, but also disk space occupation which may also have some impact on performances. It is recommended to test and run benchmarks in development or pre-production environments before using them in production.

The second significant new feature in 7.2 is the support of the HAProxy Protocol for LDAP and LDAPS. When ForgeRock Directory Services is deployed behind a software load-balancer such as HAProxy, NGINX or Kubernetes Ingress, it’s not possible for DS to know the IP address of the Client application (the only IP address known is the one of the load-balancer), therefore, it is not possible to enforce specific access controls or limits based on the applications. By supporting the HAProxy Protocol, DS can decode a specific header sent by the load-balancer and retrieve some information about the client application such as IP address but also some TLS related information if the connection between the client and the load-balancer is secured by TLS, and DS can use this information in access controls, logging, limits… You can find more details about DS support of the Proxy Protocol in DS documentation.

In DS 7.2, we have added a new option for securing and hashing passwords: Argon2. When enabled (which is the default), this allows importing users with Argon2 hashed passwords, and letting them authenticating immediately. Argon2 may be selected as well as the default scheme for hashing new passwords, by associating it with a password policy (such as the default password policy). The Argon2 password scheme has several parameters that control the cost of the hash: version, number of iterations, amount of memory to use and parallelism (aka number of threads used). While Argon2 is probably today the best algorithm to secure passwords, it can have a very big impact on the server’s performance, depending on the Argon2 parameters selected. Remember that DS encrypts the entries on disk by default, and therefore the risk of exposing hashed passwords at rest is extremely low (if not null).

Also new is the ability to search for attributes with a DistinguishedName syntax using pattern matching. DS 7.2 introduces a new matching rule named distinguishedNamePatternMatch (defined with the OID 1.3.6.1.4.1.36733.2.1.4.13). It can be used to search for users with a specific manager for example with the following filter “(manager:1.3.6.1.4.1.36733.2.1.4.13:=uid=trigden,**)” or a more human readable form “(manager:distinguishedNamePatternMatch:=uid=trigden,**)”, or to search for users whose manager is part of the Admins organisational unit with the following filter “(manager:1.3.6.1.4.1.36733.2.1.4.13:=*,ou=Admins,dc=example,dc=com)”.

ForgeRock Directory Services 7.2 includes several minor improvements:

As with every release, there has been several performances optimizations and improvements, many minor issues corrected.

You can find the full details of the changes in the Release Notes.

I hope you will enjoy this latest release of ForgeRock Directory Services. If not, don’t reach out to me, I’m no longer in charge. ūüėÄ

The end of a chapter

After almost 12 years, I’ve decided to close the ForgeRock chapter and leave the company.

Now that the company has successfully gone public, and has been set on a trajectory to lead the Identity industry, it was time for me to pause and think about what matters to me in life. So I’ve chosen to leverage the exciting experience I’ve gained with ForgeRock and to start giving back to the startups in my local community.

But what an incredible journey, it has been! I joined the company when it had a dozen employees, I was given the opportunity to found the French subsidiary, to start an engineering center, build an amazing team of developers and deliver some rock solid, highly scalable products. For this opportunity, I will always be thankful to the amazing 5 Founders of ForgeRock.

The ForgeRock Founders: Hermann, Victor, Lasse, Steve, Jonathan.

I have nothing but good memories of all those years, the amazing events organized for all the employees or for our customers. There has been many IdentityLive events (formerly known as Identity Summits), there has been fewer but so energizing Company Meetings, in Portugal, Greece, USA, Italy.

I’ve worked with a team of rock-star product managers, from which I’ve learnt so much:

I’ve hired and built a team of talented and software engineers, some of them I’ve known for 20 years:

I don’t have enough space to write about all the different things we’ve done together, at work, outside work… But yeah, we rocked!

Overall those 12 years have been an incredible and exciting journey, but what made the journey so exceptional is all the persons that have come along. Without you, nothing would have been the same. Thank you ! Farewell but I’m sure we will meet again ūüėć

ForgeRock Identity Live, Austin TX

A few weeks ago, ForgeRock organised the first Identity Live event of the season, in Austin TX.

With more than 300 registered guests, an impeccable organisation by our Marketing team, the event was a great success.

The first day was sales oriented, with company presentations, roadmaps, products’ demonstrations but also testimony from existing customers. The second day was focusing on the technical side of the ForgeRock solutions, in an unconference format, where Product Managers, Technical Consultants et Engineers shared with the audience their experience, their knowledge.

It was great to meet again so many colleagues, partners, customers; to have lively conversations about the products, the projects and the overall directions of the Identity technology.

You can find more photos of the event in the dedicated album.

ForgeRock Identity Day Paris (2019)

Jeudi 21 Novembre, c’est tenu √† Paris le ForgeRock Identity Day, une demi journ√©e d’information sur notre soci√©t√© et nos produits, destin√©e √† nos clients, prospects et partenaires.

Animé par Christophe Badot, VP de la Région France, Benelux, Europe du Sud, cet événement a commencé par une présentation de Alexander Laurie, VP Global Solution Architecture, sur les tendances du marché et la vision de ForgeRock, en Français avec un bel accent Anglais.

Nous avons eu des t√©moignages de nos clients: CNP Assurance, GRDF et l’Alliance Renault-Nissan-Mitsubishi. Merci √† eux d’avoir partag√© leurs besoins et la solution apport√©e par ForgeRock.

L√©onard Moustacchis et St√©phane Orluc, Solutions Architects chez ForgeRock, ont fait une d√©monstration en direct de la force de la Plateforme d’Identit√© de ForgeRock, √† travers une application bancaire web et mobile. Et j’ai eu l’honneur de clore la journ√©e avec une pr√©sentation de la roadmap produits, et surtout du ForgeRock Identity Cloud, notre offre SaaS disponible depuis la fin Octobre.

Cette apr√®s-midi s’est termin√©e sur un cocktail qui nous a permis de discuter plus en d√©tail avec les participants. Toutes les photos de l’√©v√©nement sont visible dans l’album sur mon compte Flickr.


And now the English shorter version:

On Thursday November 21st, we hosted ForgeRock Identity Day in Paris, a half day event for our customers, prospect customers and partners. We presented our vision of the identity landscape, our products and the roadmap. And three of our French customers : CNP Assurances, GRDF, Renault-Nissan-Mitsubishi Alliance, presented how ForgeRock has helped them with their digital transformation and identity needs. My colleagues from the Solutions Architect team ran a live demo of our web and mobile sample banking applications, to illustrate the power of the ForgeRock Identity Platform. And I closed the day with a presentation of the product roadmap and especially of ForgeRock Identity Cloud, our solution as a service. As usual, all my photos are visible in this public Flickr album.

ForgeRock IdentityLive London (2019)

Last week, I was in London to attend the last ForgeRock IdentityLive summit of 2019. Once again, it was a great event, very well attended by over 250 customers and prospects, in locations close to London Bridge. The first day was packed with presentations from ForgeRock (keynote, roadmap, demos by the Product Management team…) and from 5 different customers: E-Trade, Hargreaves Lansdown, SwissCom, NHS Digital and BMW. I really enjoyed these customers’ testimony and I want to address special kudos to Anthony Wilson, Product Manager for Identity at NHS Digital, for running a live (and successful) demo of an iPad application specifically built for paramedics to allow them to access patients medical records, in a highly trusted yet password-less manner.

The second day is the usual unSummit, with more technical discussions and hands-on workshops. I ran a session about my favorite subject: Directory Services, and everyone else favorite subject: Containers and Kubernetes. I explained all the work we’re doing to automate the deployment of replicated DS instances and ran a live demonstration of deploying a 3 way replicated service on MiniKube on my laptop, in a couple of minutes; and also how to scale it up to 4 instances in just a click. Kudos to the Directory Services engineering team for reaching that milestone on the way to the 7.0 release of the ForgeRock Identity Platform.

During the event, we also showed our support for Women In Identity, a program I’m particularly fond of, as a father of 3 girls (although probably none of them will work in Identity or even IT).

Finally, here’s the obligatory link to my photo album of IdentityLive London.

LDAPCon 2019

The 7th International LDAP Conference has been announced and will take place in Sofia, Bulgaria on November 4-6. The first day will be reserved for workshops, the main conference taking place on the 5th and 6th.

LDAPCon brings together vendors, developers, active LDAP practitioners, system administrators to share their experiences about service operations, interoperability, application development and discuss LDAP at large, in a friendly and passionated atmosphere.

A call for participation has been opened and will remain open until August 1st 18th.

Update on CfP closure, now August 18th.

ForgeRock Identity Live Berlin

Last week, the IdentityLive tour stopped in Berlin for the first European event of 2019 (the second one will be in London on October 8th-9th).

It was a good opportunity to meet and discuss with our European customers (or the European teams of our global customers). For me, the main topic of discussion was Kubernetes and running Directory Services in Docker/K8S. It was also something that I’ve discussed a little bit during the Nashville Identity Live, but not as much as I did in Berlin. I also did a talk on that subject at the Identity Live Cloud Workshop (the second day of the event is focusing on the technical aspects of our products and solutions). I’ve started to write another article to detail my talk. I hope to publish it here in the next few days. Meanwhile, you can find all the photos from Identity Live Berlin on my Flickr page as usual.

ForgeRock IdentityLive Berlin 2019

Note that Identity Live Berlin took place at the “Classic Remise” which is a showroom for old and sports cars. An unusual place for a conference, but a good opportunity to admire some pretty old cars and try to take a different kind of photos.

Cars from Classic Remise Berlin

ForgeRock Identity Live Nashville, TN

Two weeks ago debuted the ForgeRock Identity Live series of events. This year the USA based event moved to Nashville TN.

Untitled

This was my first visit to the city of Country Music and honky-tonks. It was fun listening to the live music everywhere, trying (and buying) boots, visiting the Country Music Hall of Fame, although we didn’t really have much time for leisure.

Untitled
Untitled

The Identity Live event itself was really good and very well attended. The engagement of our Customers and Partners was great and we’ve had a myriad of discussions, feedbacks and questions about our products, our roadmap and our progress on our move to the Cloud.

Untitled

The videos of the sessions are already available on ForgeRock website. And you can also see the photos that I took during the event.

Next is Berlin Identity Live, on June 6-7. Registration is still open! I’m looking forward to seeing you in Berlin!

Identity Live London is over, Paris is next…

It’s been a couple of intense days in London with over 200 attendees at the London stop of the ForgeRock Identity Live world tour.

Untitled

In London, we’ve had 3 important customers that explained how they are innovating with the help of digital identities, each of them providing online services to over 30 millions users: The BBC, Maerks and Pearson. And we’ve had 3 major UK banks that joined a panel to discuss OpenBanking and APIs in the banking industry. I have particularly enjoyed the well mastered presentations by Bianca Lopes about the data that we leave online and that ties back to our identity, and by Spencer Kelly, technology presenter of the BBC show “Click”.

UntitledToday, we had our “unConference” day, where the engineering team is joining the product management one and discuss with our customers and partners on how to leverage the newest features of the ForgeRock Identity Platform, whether already released or soon to be.

My photos of the Identity Live London are now publicly visible here: https://www.flickr.com/photos/ludovicpoitou/albums/72157701508676261

And now, on to the next and last stop for 2018: Paris, November 13 and 14. Register and join us!

parissummitsocial_01

[Post Event Update]

You can find the few photos that I’ve taken on the Flickr album.

Untitled

ForgeRock Identity Live Berlin

The second show of the ForgeRock worldwide tour of Identity Live events took place last week in the beautiful city of Berlin.LP0_4079

My colleagues from the Marketing team have already put a summary of the event with an highlight video and links to slides, videos of the sessions.

And my photo album of the event is also visible online here:

ForgeRock Identity Live Berlin 2018

See you at the next Identity Live in Sydney or in Singapore in August.

Open Provisioning ToolKit phoenix moment

OpenPTKI’m sitting in training this week with our Solution Architects team and was talking to my long time colleague Scott Fehrman about a customer I recently met and a mention of the Open Provisioning ToolKit (OpenPTK) in one of the slides. OpenPTK is an open source project that Scott, Terry Sigle and¬†Derrick Harcey founded at Sun Microsystems some years ago.

As we’re talking Scott realized that the website that hosted OpenPTK source code, issues and downloads (java.net) is gone. As he had a copy of the latest version, he put it back online on his github account.

If anyone is using OpenPTK and would like to get the code, or even better work on it, it has raised from the hashes and is now publicly available:

https://github.com/sfehrman/openptk

ForgeRock Identity Live Austin

The season for the ForgeRock Identity Live events has opened earlier in May with the first of a series of 6 worldwide events in 2018, the Identity Live Austin.

LP0_3097With the largest audience since we’ve started these events, this was an absolutely great event, with as usual, passionate and in depth discussions with customers and partners.

You can find highlights, session videos and selected decks on the event website.

And here is my summary of the 2 days conference in pictures.

The next event will take place in Europe, in Berlin on June 12-13. It is still time to register, and you can look at the whole agenda of the summits to find one closer to your home. I’m looking forward to meet you there.

ForgeRock UnSummit in Bristol – March 2nd.

lp0_2813
Allan Foster, VP Global Partner Enablement, master of ceremony of the 2016 San Francisco UnSummit.

On March 2nd, ForgeRock will be hosting an UnSummit,¬†a¬†¬†free and open to all event, in Bristol. ¬†In an ‚Äúunconference‚ÄĚ format, join us in the ForgeRock‚Äôs Bristol offices at Queen‚Äôs Square, for a day of discussions, presentations with¬†users, deployers and developers of the ForgeRock Identity Platform.

 

Top 5 reasons why you (or your team) should join us?

  1. It’s a day for techie’s and nothing like a regular conference
  2. If you’re interested in identity or working on an identity project – it’s a must!
  3. There will be 30+ sessions to choose from during the day
  4. It’s a great opportunity to visit Bristol – one of Britain’s leading “Smart Cities”
  5. It’s complimentary so no charge to attend

You can register and find ¬†more details on the ForgeRock website. And if you’re still hesitating, please check what TechSpark wrote about the coming UnSummit.

I’ll be attending the UnSummit and hope to see you there.

 

Les Identity Tech Talks arrivent √† Paris

Depuis plus d’un an, il y a des r√©unions mensuelles √† Londres pour discuter des technologies autour de l’Identit√© Num√©rique, de la gestion des identit√©s et des acc√®s, de la gouvernance, de la s√©curit√©…

Les Identity Tech Talks arrivent à Paris, le 1er Décembre puis tous les mois. identitytechtalks-fr

Pour la premi√®re, “Oubliez votre mot de passe !” et “Comment ca marche : OpenID Connect,¬†fournisseur d‚Äôidentit√© universel de Google √† FranceConnect” sont les sujets pr√©sent√©s.

Rendez vous à La Source @ Le Tank (RDC), 22 bis rue des Taillandiers, Paris 8.

Pour vous inscrire, c’est sur Meetup.

En espérant vous y voir le 1er Décembre, à 18h15.