ForgeRock and Graph Databases for Identity Management

Contributors: Dave Bennett, Derek Small

Nulli has been working with graph databases to determine their applicability to Identity and Access Management (IAM) with respect to  policy definition, governance and accountability. This research and development has been driven by our own interest with better representing Identity and Access Management (IAM) information that can be leveraged in access policy decisions. Nulli sees the growth of Identities and supportive data attributes as requiring a flexible methodology for exposing relationships between identity attributes. The relationships  between and among identity data touch points is critical to enforcing ever more complex authentication and authorization rules driven by the increasing number of identities that IAM systems are required to manage.

Understanding relationships is key for elastic identity management solutions that support governance, privacy and security

Understanding relationships is key for elastic identity management solutions that support governance, privacy and security objectives of modern organizations. The growth of network accessible devices, applications and people fuels the demand for flexible identity repositories that map relationships between humans, devices, sensors and  applications. Existing relational and hierarchical repositories provide foundations for managing this growing identity inventory but can  be expensive to query when establishing relationships that drive policy decisions.  This is where Nulli has shown the ease with which graph databases, such as Neo4j, provide very efficient answers to relationship queries supportive of trust modelling, governance, privacy and security.

The following is a technical brief presented and demonstrated at the ForgeRock Identity Summit on May 28, 2015 in Half Moon Bay,  California. The paper describes how Nulli created an OpenAM Post Authentication Plug-in to interrogate a graph database and respond with a  level of identity assurance consumed by an OpenAM Policy that decides whether a higher level of authentication might be required post login by a protected resource.

Leveraging Graph Databases with ForgeRock OpenAM


Access Management (AM) is concerned with authenticating users and determining whether they have permission to access requested resources. Core to the ForgeRock™ Identity Platform is the design and implementation of access control policies. In its most common form, an access control rule is specified by subjects, objects, permissions, and conditions; and lets the AM system determine whether a user (subject) is able to perform an operation on a resource (object) under the current condition.

Client-Based Access Control – A Graph Database Implementation

Nulli has developed a simple access management use case whereby ForgeRock™ OpenAM is used to protect resources. Users’ authentication history is utilized to control access to those resources. To access the service, a user is required to be authenticated to OpenAM. However, basic authentication may not be sufficient. Depending on the client type, the user may or may not be granted access and additionally, further steps may be required.

We approach a solution through an OpenAM enhancement that makes use of the Neo4j™ graph database to store and retrieve historical authentication data. Our OpenAM extension consists of two plugins: a post-authentication plugin (PAP) and a policy condition plugin. The  former stores users’ authentication history and the latter uses this data to make informed decisions on granting access to protected resources. The following provides a high level description of the two pieces.

Download: Leveraging Graph Databases for Access Management

View the slides that Dave presented on May 28th at the ForgeRock Identity Summit here.