ForgeRock Production Deployment Checklist

47 battle-tested checkpoints from 100+ enterprise deployments

Pro tip: Check items as you complete them, then print/save as PDF for your records

Phase 1: Planning & Architecture (Pre-Deployment)

PLANNING

Define authentication journeys and user flows

Map all authentication scenarios: standard login, MFA, social login, passwordless, account recovery

→ Authentication Journey Design Guide

Size infrastructure for expected load

Calculate TPS requirements, concurrent sessions, storage needs. Plan for 3x peak load capacity.

Design directory schema and data model

Define custom attributes, object classes, indexes, and data retention policies

→ LDIF Attribute Mapping Guide

Plan IDM provisioning and reconciliation workflows

Map source systems, define connectors, reconciliation schedules, and error handling

→ IDM Sync Strategies

Document OAuth 2.0/OIDC client registrations

List all applications, grant types, redirect URIs, scopes, and token lifetimes

→ Custom OAuth2 Flows

Design SAML federation topology

Identify all IdP and SP integrations, certificate management, attribute mapping

→ SAML SSO Implementation

Phase 2: Infrastructure Setup

INFRASTRUCTURE

Deploy ForgeRock DS with replication

Minimum 2 DS instances per datacenter. Configure replication, backup, monitoring.

Configure external user store connectors (if applicable)

Active Directory, LDAP, database connectors. Test read/write operations.

Set up MySQL/PostgreSQL for IDM

Production-grade database with failover, connection pooling, and performance tuning

→ MySQL Performance Tuning

Deploy Kubernetes/OpenShift cluster (for ForgeOps)

Multi-node cluster with persistent storage, ingress, secrets management

→ ForgeOps on OpenShift Guide

Configure load balancers with sticky sessions

AM requires session affinity. Configure health checks on /json/health endpoint.

Set up centralized logging (ELK/Splunk)

Ship logs from AM, IDM, DS, IG to central logging platform

→ Audit Logging Best Practices

Phase 3: ForgeRock AM Configuration

ACCESS MANAGEMENT

Configure realms and authentication chains

Create realms for each tenant/environment. Design modular authentication trees.

→ Custom Callbacks Guide

Implement custom authentication nodes/scripts

Develop, test, and deploy custom nodes. Version control in Git.

→ AM Script Customization

Configure OAuth 2.0 provider settings

Token lifetimes, supported grant types, PKCE enforcement, refresh token rotation

→ OAuth2 Deep Dive

Create clients for all applications with appropriate scopes and redirect URIs

Configure SAML 2.0 entity providers

Import metadata, configure circles of trust, attribute mapping

→ SAML IDP/SP Configuration

Set up session management and SSO

Session timeouts, max concurrent sessions, SSO cookie domain and security flags

Configure privilege escalation and step-up authentication

Define sensitive operations requiring re-authentication or MFA

Harden amadmin and service accounts

Strong passwords, restrict access, enable MFA for privileged accounts

Enable advanced debug logging (initially)

Configure debug.log for troubleshooting. Plan to reduce verbosity post-launch.

→ Debug Logging Techniques

Phase 4: ForgeRock IDM Configuration

IDENTITY MANAGEMENT

Configure connectors to source systems

HR systems, Active Directory, databases. Test connectivity and error handling.

Create and test synchronization mappings

Bidirectional sync rules, attribute transformations, conflict resolution

→ Resolving Mapping Errors

Implement reconciliation schedules

Full and incremental recon schedules. Monitor for blocked reconciliations.

→ Troubleshooting Blocked Recon

Configure LiveSync for real-time provisioning

Enable LiveSync on critical connectors for immediate propagation

Develop custom scripted logic

onUpdate, onCreate scripts for complex business rules

→ IDM Scripting Guide

Set up password synchronization workflows

Sync passwords to downstream systems securely

→ Password Sync Workflow

Configure audit event handlers

JsonAuditEventHandler for compliance logging, retention policies

Implement workflow approvals (if needed)

Manager approval for sensitive role assignments, provisioning requests

Phase 5: ForgeRock Identity Gateway (IG)

API GATEWAY

Deploy IG as reverse proxy

Position IG in front of APIs and legacy apps requiring authentication

→ IG API Security Best Practices

Configure routes and filters

OAuth2ResourceServerFilter, throttling, CORS, header injection

Implement token validation and transformation

Validate JWT/opaque tokens, transform claims for downstream apps

Set up API rate limiting and threat protection

Prevent abuse, DDoS protection, anomaly detection

Phase 6: Security Hardening

SECURITY

Generate and install SSL/TLS certificates

Use trusted CA, wildcard or SAN certs, plan rotation schedule

Configure Kubernetes secrets for sensitive data

Never hardcode passwords. Use GenericSecret or external secret managers.

→ Managing Kubernetes Secrets

Enable HTTPS-only communication

Disable HTTP. Enforce HSTS headers, secure cookies.

Implement network segmentation

DMZ for external-facing components, internal network for data stores

Configure firewall and security groups

Whitelist only required ports and IP ranges

Enable security headers

X-Frame-Options, X-Content-Type-Options, CSP, X-XSS-Protection

Implement CORS policies

Restrict allowed origins, methods, headers for browser-based apps

Phase 7: Testing & Validation

TESTING

Test all authentication journeys

Standard login, MFA, social, passwordless, error scenarios

Validate OAuth 2.0/OIDC flows

Authorization code, client credentials, refresh token, token introspection

Test SAML SSO with all service providers

IdP-initiated, SP-initiated, SLO, attribute assertions

Run load and stress tests

Simulate 3x peak expected load. Monitor CPU, memory, response times.

Verify IDM provisioning end-to-end

Create/update/delete users. Confirm propagation to all target systems.

Conduct security penetration testing

OWASP Top 10, token security, session management, injection attacks

Phase 8: Go-Live & Operations

PRODUCTION

Create runbooks and escalation procedures

Document common issues, troubleshooting steps, on-call rotation

ForgeRock Production Deployment Checklist

ForgeRock Production Deployment Checklist

Phase 1: Planning & Architecture (Pre-Deployment)

Phase 2: Infrastructure Setup

Phase 3: ForgeRock AM Configuration

Phase 4: ForgeRock IDM Configuration

Phase 5: ForgeRock Identity Gateway (IG)

Phase 6: Security Hardening

Phase 7: Testing & Validation

Phase 8: Go-Live & Operations

Get More ForgeRock Deployment Guides

Latest Articles

ForgeRock Production Deployment Checklist

Phase 1: Planning & Architecture (Pre-Deployment)#

Phase 2: Infrastructure Setup#

Phase 3: ForgeRock AM Configuration#

Phase 4: ForgeRock IDM Configuration#

Phase 5: ForgeRock Identity Gateway (IG)#

Phase 6: Security Hardening#

Phase 7: Testing & Validation#

Phase 8: Go-Live & Operations#

Get More ForgeRock Deployment Guides

Latest Articles

Phase 1: Planning & Architecture (Pre-Deployment)

Phase 2: Infrastructure Setup

Phase 3: ForgeRock AM Configuration

Phase 4: ForgeRock IDM Configuration

Phase 5: ForgeRock Identity Gateway (IG)

Phase 6: Security Hardening

Phase 7: Testing & Validation

Phase 8: Go-Live & Operations