ForgeRock
Thoma Bravo (private equity) · Ping Identity (acquisition closed August 2023)
Last verified 2026-05-30 · Reviewed by guptadeepak
Editorial verdict
ForgeRock continues as a distinct platform within Ping Identity's portfolio in 2026, with Authentication Trees orchestration, deep on-prem deployment, and Java-heavy customization that suit large enterprise and public-sector buyers with installed deployments. For new CIAM evaluations, the post-acquisition roadmap uncertainty and the complexity of choosing between PingOne and ForgeRock Identity Cloud weigh heavily, most new buyers should evaluate PingOne first, and reach for ForgeRock only when on-prem or governance integration specifically requires it.
Last verified by @guptadeepak on 2026-05-30.
At a glance
- Best for
- Existing ForgeRock customers continuing investment in installed deployments
- Pricing
- enterprise-quote
- Free tier
- None
- Deployment
- cloud-saas, on-prem, hybrid
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- Yes
- Open source
- No
Funding & business
- Funding model
- Private-equity owned
- Total raised
- $230M
- Latest round
- Acquired · 2023
- Years in business
- 16 yrs
- Round led by
- Thoma Bravo
- Profitable
- Not disclosed
Investors
VC-backed (Accel, Meritech, KKR), IPO'd 2021, taken private by Thoma Bravo in 2023 and folded into Ping Identity.
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Authentication Trees orchestration, among the most mature visual auth-journey builders for enterprise scenarios.
- Strong on-prem deployment story with the deepest customization model (custom Java auth nodes) of any platform in this index.
- FedRAMP High, PCI Level 1, HIPAA, with consent and lifecycle capabilities suitable for regulated industries.
- Strong identity governance integration (lifecycle, certification, role mining) when paired with ForgeRock IGA.
Limitations
- Acquired by Ping Identity in 2023, long-term roadmap and product convergence with PingOne is unsettled.
- Pricing opacity and six-figure annual minimums; no path for mid-market evaluation.
- Java-heavy customization model creates significant lock-in once production trees are deployed.
- DX trails the developer-first tier substantially; iteration loops are slow.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | Yes |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Yes |
| Adaptive MFA | Yes |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | Yes |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Yes |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, java, dotnet, python, go, ios, swift, android, kotlin |
| CLI | Yes |
| Terraform provider | Partial |
| Local emulator | No |
| Extension model | Authentication Trees + custom auth nodes (Java) + scripted nodes |
| Bot detection | Yes |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | Yes |
| Log streams | Yes |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Yes |
| Post-quantum roadmap | Partial |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | Yes |
| ISO 27018 | Yes |
| HIPAA | Yes |
| PCI DSS | Level 1 |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | High |
| EU data residency | Yes |
| Consent management | Yes |
|---|---|
| Preference center | Yes |
| Purpose-specific consent | Yes |
| Integrates with CMPs | OneTrust, TrustArc |
Pricing
| 10,000 MAU | Quote required |
|---|---|
| 100,000 MAU | $8,000/mo |
| 500,000 MAU | $22,000/mo |
| 1,000,000 MAU | $38,000/mo |
- ForgeRock Identity Cloud (managed) and self-managed deployments are commercially separate
- Per-user / per-MAU pricing varies by deal; expect six-figure annual minimums for self-managed
- Professional services often required for complex deployments
- Post-Ping-acquisition product roadmap continues but pricing alignment with PingOne is still in progress
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Existing ForgeRock customers continuing investment in installed deployments
- Large enterprise / public-sector with complex federation and on-prem requirements
- Regulated industries needing identity governance integrated with CIAM
Not for
- New CIAM evaluations below the enterprise-quote threshold
- Mid-market SaaS or startups prioritizing developer velocity
- Teams uncertain about post-acquisition roadmap stability
FAQ
- Is ForgeRock still a separate company from Ping Identity?
- No, Ping Identity acquired ForgeRock in August 2023 (both privately held under Thoma Bravo). The ForgeRock platform continues to be sold and developed, but the long-term product strategy involves integration with PingOne. As of 2026 the two platforms remain commercially distinct.
- Should I pick ForgeRock or PingOne for a new deployment?
- For most new deployments, PingOne is the recommended path, fewer migration concerns, broader cloud-native posture, and clearer roadmap alignment with the combined company's investment. ForgeRock makes sense for buyers requiring on-prem deployment, deep Java customization via Authentication Trees, or integration with ForgeRock Identity Governance.
- What does ForgeRock cost?
- Enterprise quote-based with six-figure annual minimums typical. Identity Cloud (managed) is generally less expensive than self-managed deployments at comparable scale. Below those thresholds, ForgeRock is not commercially accessible.
Sources
- ForgeRock Documentationaccessed 2026-04-22
- Ping Identity ForgeRock acquisition close announcementaccessed 2026-04-22
What ForgeRock is
ForgeRock launched in 2010 as a fork of Sun's OpenSSO project, and grew into one of the largest enterprise CIAM platforms before being acquired by Ping Identity in August 2023. Both companies were taken private under Thoma Bravo. The ForgeRock platform, Identity Cloud (managed), self-managed Identity Platform, plus the Identity Governance and Autonomous Identity products, continues as a distinct portfolio within the combined company.
Where ForgeRock wins
Authentication Trees is the orchestration differentiator. The visual auth-journey builder predates competitors like DaVinci or Descope's Flows by years, and the customization model, first-class custom Java auth nodes plus scripted nodes, gives engineering teams more expressive control than visual editors that constrain to a node palette. For enterprise auth journeys with custom risk signals, integration with proprietary backends, and complex multi-step KYC, the depth pays off.
The on-prem deployment story is among the strongest in the index. ForgeRock Identity Platform has been deployed in some of the world's largest installations, banks, governments, telecoms, with the operational maturity that comes from running at that scale across decades. For workloads that require on-prem identity stores with strict data sovereignty, ForgeRock is one of the few platforms that ships this credibly.
Identity Governance integration is meaningful. When CIAM and IGA come from the same vendor, lifecycle, certification, and role mining flows can share data models without integration tax, uncommon in this index, where most vendors do CIAM only.
Compliance is full-stack: FedRAMP High, PCI DSS Level 1, HIPAA, ISO 27001/27018, with consent management and preference center capabilities that match regulated-industry expectations.
Where ForgeRock hurts
The post-Ping-acquisition uncertainty is the lasting friction. Two platforms that both ship cloud, on-prem, and orchestration products are now under one company; convergence is announced but the timeline is unclear. For new buyers, the decision between PingOne and ForgeRock Identity Cloud is harder than it was pre-acquisition, and migrations between the two are not yet a smooth path.
Pricing opacity is severe even by enterprise CIAM standards. No published pricing, six-figure annual minimums typical, professional-services-heavy onboarding. For mid-market evaluation this is disqualifying.
The Java-heavy customization model creates significant lock-in once production Authentication Trees are deployed. Trees with custom Java nodes do not port to any other platform without rewriting; even within the Ping portfolio, migrating to DaVinci is a substantial project.
DX trails the developer-first tier substantially. The admin tooling reflects 2010-era enterprise design choices; SDK coverage is functional but slower-iteration than Auth0 / Stytch / Clerk.
How ForgeRock compares
The most relevant within-portfolio comparison is Ping Identity vs ForgeRock for buyers choosing between the two combined-company platforms. For developer-first enterprise CIAM at lower cost, Auth0 is the alternative. For modern orchestration at mid-market price points, Descope covers a similar use case. For self-hosted with similar deployment autonomy, Keycloak is the open-source option.