ForgeRock Access Management (Workforce IAM)

Consultant ForgeRock Access Management (Workforce IAM)

Locations: Bangalore \ Pune Hyderabad

Service Line: Cyber Security Identity & Access Management

Experience: 4-7 Years

Position Summary

We are seeking a high-performing Consultant ForgeRock Access Management (Workforce

IAM) with strong experience in designing, implementing, and operating ForgeRock-based

workforce identity solutions. The role involves delivering enterprise-scale identity and

access transformation programs focused on employee, contractor, and privileged user

access across hybrid and cloud environments. The selected candidate will be responsible for

hands-on configuration of ForgeRock Access Management capabilities, enabling secure SSO,

conditional/adaptive access, and MFA with emphasis on phishing-resistant authentication

(e.g., FIDO2/WebAuthn/passkeys) and security hardening. You will collaborate with client

stakeholders to build Zero Trust-aligned workforce identity architectures and ensure audit-

ready controls.

Key Responsibilities :

Implement and configure ForgeRock Access Management (AM) for workforce IAM use cases (SSO, Federation, Adaptive/Conditional Access, MFA).

Design and implement Single Sign-On (SSO) for SaaS, custom, and on-prem applications using SAML 2.0, OAuth 2.0, and OpenID Connect (OIDC).

Build and manage authentication journeys using ForgeRock Authentication Trees and Nodes (including custom scripts/nodes as required).

Implement Multi-Factor Authentication (MFA) and step-up authentication policies with a focus on phishing-resistant MFA (FIDO2/WebAuthn/passkeys/security keys) and controlled fallback methods.

Design contextual and risk-based access policies (device, geo, IP/network zones,behaviorsignals) aligned to Zero Trust and least privilege.

Integrate ForgeRock with enterprise directories (Active Directory/LDAP) and configure identity store, authentication modules, and mappings.

Configure federation relationships (IdP/SP), certificate/key management, signing/encryption policies, and metadata exchange.

Implement session and token hardening: secure cookie settings, timeouts, re-auth triggers, concurrent session control, PKCE and best practices for OIDC/OAuth.

Configure claims mapping, scopes, JWT customization, and token transformation based on application requirements.

Troubleshoot authentication, federation, MFA, session, and token-related issues using logs, audit trails, and protocol traces.

Support workforce IAM architecture for hybrid and cloud environments; participate in solutioning, estimation, and delivery planning.

Develop High-Level and Low-Level Design documentation, build/configuration guides, and operational runbooks.

Automate deployments and operations using REST APIs, scripting (JavaScript/Groovy), and CI/CD patterns where applicable.

Support migration from legacy IAM platforms and contribute to audit/compliance

activities (controls evidence, logging, policy validation).

Required Skills & Qualifications

3-7 years of experience in Identity & Access Management (IAM).

Minimum 2 years of hands-on experience with ForgeRock Access Management (AM) implementing workforce authentication and SSO.

Strong understanding of authentication and federation standards: SAML 2.0, OAuth 2.0, OpenID Connect, JWT/JWS/JWE.

Hands-on experience implementing conditional/adaptive access and step-up authentication using ForgeRock Authentication Trees/Policies.

Hands-on experience implementing MFA, including phishing-resistant MFA (FIDO2/WebAuthn/passkeys/security keys) and secure enrollment/recovery flows.

Experience integrating with Active Directory / LDAP and troubleshooting directory/authentication issues.

Experience with REST APIs and basic scripting (JavaScript/Groovy; familiarity with PowerShell or Python is a plus).

Strong troubleshooting skills across auth flows, sessions, cookies, redirects, and protocol-level issues.

Preferred Qualifications

Experience with ForgeRock Identity Management (IDM) and/or ForgeRock Identity Gateway (IG).

Experience with containerized deployments (Docker/Kubernetes/OpenShift) and HA/DR architectures for IAM.

Exposure to SIEM/log analytics (Splunk/ELK) and building audit-ready authentication logging and reporting.

Knowledge of Zero Trust architecture patterns, device trust concepts, and modern authentication hardening practices.

Experience with cloud platforms (Azure/AWS/GCP) and hybrid identity integrations.

Relevant certifications (nice to have): ForgeRock certifications, Security+, or equivalent IAM/security certifications.