Open Source Market Segment LS
Open Source Market Segment RS
Monday, 27 January 2014 13:02

Open source venture that's profited from Oracle's actions Featured


When Oracle acquired Sun Microsystems, it was an open secret that the major reason for the purchase was Java. Other Sun products and projects were going to take second place.

This meant change for many of the open source projects which Sun had nurtured and developed. While much is known about the way in which MySQL's administration has given life to MariaDB, and the events that led to the forking of to give birth to LibreOffice, there are other, lesser-known entities that have also arisen due to Oracle's seeming inability to manage open source projects.

Among the latter group is ForgeRock, an open-source identity and access management company, which was founded in 2010 with very little seed capital. The founders were all part of Sun's extended community and they decided to focus on Sun's identity and access management products. One of the four co-founders of Sun, Scott McNealy, is also involved in ForgeRock.

It was a good decision because Oracle had its own products to cater to these niches and soon dropped support for Sun's products, all of which were under the Community Development and Distribution Licence, an open source licence.

iTWire spoke to Lasse Andresen, the chief technical officer of ForgeRock, (pictured above) at length about how the company came to be and its current operations.

iTWire: It seems a bit ironic that one of the founders of Sun is now involved in a company trying to lure business away from its products. Who were the five friends who formed the company and how did they come to unite on this line of products?

Lasse Andresen: ForgeRock was founded in 2010 on a mere $40,000 in seed capital. The founders are all still very involved in the company and include me, the chief technical officer, Steve Ferris, vice-president of services, Jonathan Scudder, OpenAM architect, Victor Ake, product manager, and Hermann Svoren, vice-president of sales.

Given the circumstances, it is not ironic at all that the founders, a group of talented engineers, developers and consultants who had been part of the extended Sun community, would decide to start a company based on the products they had helped design and deploy for some of Sun's largest customers. At the time, Sun had been recently purchased by Oracle. Since Oracle already had a full portfolio of identity and access management products, it was not surprising to the founders when Oracle announced that it would end of life (EOL) the Sun products. Oracle offered the Sun IAM customers two options: purchase a very expensive life-time support agreement for products that are no longer in development (no upgrades) or replace them with the Oracle products. Both options are very risky and expensive.

ForgeRock provides a third option to these customers. We have continued to evolve and innovate on the Sun open source code base and offer a feature-rich, highly reliable and scalable, next generation IAM product platform – the ForgeRock Open Identity Stack. Many of our customers are previous Sun customers, such as the government of Norway and Telecom New Zealand. However, more and more, our newer customers, such as GEICO and Vantiv, are replacing other legacy platforms.

Can you explain exactly what — in layman's language — OpenAM , OpenDJ  and OpenIDM do? Are these built from scratch or are they based on some other codebase? What language are they written in?

OpenAM provides end-to-end access management services including:

Authentication (Who Are You?) – Single Sign-on (SSO) service for validating user identity for on-premises, cloud and mobile solutions. Creates a sign-on once, access everywhere environment. One password for accessing all assets.

Authorisation (What Can You Do?) – Service for granting a user permission to use web, mobile and cloud resources in a secured environment based on defined policies.  Uses coarse-grained policies based on static information – group, role, etc.

Entitlements (What Can You Do @ Object Level?) – Service for granting users permission to use discrete objects within web, mobile and cloud resources. Uses fine-grained policies based on dynamic information – real-time attributes. Supports XACML, a popular authorisation or fine-grained entitlements standard.

Federation (Who Are You?) – Standards-based SSO for allowing identities to be shared securely across disparate networks and applications. Supports SAML, a standards-based method of implementing SSO.

Identity Gateway (Who Are You?) – SSO without the need to modify the target application or the container that it runs in. In short, it allows you to implement SSO without having to ever touch the target application you are trying to protect. Ideal for legacy applications that need to be included in SSO infrastructure without having to touch the application (e.g. – mainframe app).

OpenIDM provides end-to-end access management services including:

Core User Management – Provides a foundation framework to support identity synchronisation, reconciliation and basic provisioning activities within an organisation. All capabilities provided are exposed using the ForgeRock REST web API, and they can be used directly in your application. All activities occurring within the system gets properly logged and made available for reporting purposes.

Password Management – Password management provides and leverages OpenIDM capabilities to support enterprise, cloud and mobile password management use-cases, such as self-service of passwords, challenge/response questions to support password resets, password synchronisation and interception on native systems where there is support, while at the same time complying with corporate password policies.

Workflow and Business Process Management – Together with the Workflow and Business Process engine, OpenIDM can be extended to fully allow for workflow driven provisioning processes to be put in place. Extending OpenIDM with this module, capability to invoke workflows throughout the product or schedule tasks is provided. Support for approvals, notifications, escalations and other typical workflow-related constructs are supported.

OpenDJ provides a cloud/mobile ready identity data store that does the following:

Identity Data Store – OpenDJ provides a secure, reliable and scalable generic data store to higher-level applications, based on the LDAPv3 standard specifications. Clients accessing the data store are authenticated and access to the data is controlled ensuring confidentiality of possible sensitive data. Also, it provides web-based access to the Directory Service, through Web Services (DSMLv2) or REST interfaces (HTTP REST/JSon).

Under what licensing were the Sun products that you are aiming to replace sold?

The open source licences for Sun OpenSSO and OpenDS were CDDL.

Who are your competitors?

Many of our customers are migrating off legacy IAM platforms, typically from vendors such as IBM, Oracle and CA. These vendors developed their IAM portfolios through acquisition to meet the needs of employee-focused IAM, so these IAM products were initially designed to be deployed behind the corporate firewall to protect corporate data. In addition to being complex and difficult to scale, these platforms are also not designed to meet the needs of cloud and mobile computing.

ForgeRock, on the other hand, is committed to the development of next generation identity and access management, often referred to as identity relationship management. The ForgeRock platform of products is designed to be simple to deploy and manage, as well as developer-friendly. A single, common programming interface enables simple access to OpenAM, OpenIDM, and OpenDJ, so that each delivers rich, modular, massively scalable, lightweight identity relationship management services.

Removing the complexity of the underlying services with multiple tiers of API abstraction is a significant advantage to developers and the business. Now, for the first time, a developer can utilise re-usable shared services across an entire identity platform, whatever the requirements of the application strategy. This is a completely different model from the standard legacy provider approach, which requires developers to bend applications to support the vendor. The ForgeRock developer-centric approach and common API development platform is changing what was once costly and complex into easily accessible and re-usable solutions that companies can implement safely and efficiently, whether internally or externally, in order to effectively drive top line revenue.

Why choose the CDDL licence? During the time of OpenSolaris, it was the terms of this licence that tended to make it difficult for outsiders to contribute.

The initial decision to use the CDDL licence was made by Sun Microsystems. We are not able to comment on why that decision was made by Sun Microsystems.

Many companies have made a success of things by choosing a more open licence like the GNU general public licence. How come you never considered something like this?

Our products are forks from Sun OpenSSO and OpenDS, which were CDDL.

How much of a contribution do you get from outside – I mean the community?

We get lots of community contribution in the form of code evaluation, bug reporting, and feature requests. We do accept a limited amount of new code, as well, although ForgeRock engineering is the primary developer.

How does the company look after the community that has collected around these products?

We have community events in the US and Europe, and email aliases for daily collaboration.

In what industries have you made the most headway?

We have made headway in multiple verticals - telecom, healthcare, government, education, manufacturing, service providers, financial services, and more. A full list of our publicly referenceable customers is here.

Let's say someone wants to make a code contribution. How would I go about it?

We have a small number of approved committers who can contribute code directly. Other members can get involved with the discussions on the development mailing lists, answering user questions, suggesting patches for bug fixes or features, and helping to improve the documentation.

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News