PingOne Advanced Identity Cloud extension

Latest Dynatrace
Extension

Extension that collects PingOne Advanced Identity Cloud (ForgeRock) data.

Get started

Overview

PingOne Advanced Identity Cloud (formerly ForgeRock Identity Cloud) is a comprehensive IAM service. This extension allows you to ingest exposed metrics and logs.

Use cases

Use metrics to monitor performance and activity within your deployment
Use audit logs to investigate user and system behavior
Use debug logs to investigate issues in production
Use metrics and log data to alert on desired events

Requirements

Advanced Identity Cloud deployment

A supported Advanced Identity Cloud deployment that exposes the following APIs is required:

Identity Cloud authentication for logs

To collect logs make sure you have an API key and secret.

Identity Cloud Prometheus monitoring for metrics

To collect metrics, Prometheus monitoring must be enabled in the Identity Cloud environment. Review the Identity Cloud documentation here for details.

Activation and setup

Find the extension in Dynatrace Hub and add it to your environment.
Add a monitoring configuration.
- These Dynatrace-related settings are required to ingest logs via the main Dynatrace API which can handle larger volumes:

Dynatrace Environment ID
Dynatrace API Token: scope must include logs.ingest
Dynatrace ActiveGate API Port: default 9999 (make sure the ActiveGate API endpoint has not been disabled)
Identity Cloud connectivity settings:
Hostname
API Key
API Secret
Audit & debug log collection interval
Log sources
Log level
Review the available feature sets to determine which you want to collect.

Details

Log events

Log events from various available sources (e.g. am-access, am-activity, idm-authentication, etc…) in the Identity Cloud logs API can be ingested. You can control the collection interval for logs.

Metrics

AM and IDM expose a variety of metrics via a Prometheus endpoint which the extension will ingest. Review the feature sets at the bottom of this page for details on the metrics available. These are collected once per minute.

Licensing and costs

There is no charge to use the extension. You are only charged for the data that the extension ingests.

The PingOne Advanced Identity Cloud extension ingests custom metrics, which consume Davis Data Units (DDUs) (Dynatrace classic license) or Metrics powered by Grail (DPS), according to your license model.

Metrics are collected once per minute. The following formulas approximate the number of metric data points ingested per minute. Actual consumption is highly variable based on traffic volume and patterns in your environment. For a more accurate estimate, run the extension for a period of time to determine metric consumption.

Identity Management:

(2 * providers * registration types) + (user types) + (3 * operations per managed object) + (3 * unique action operation and outcome) + (audit topics) + (3 * object mappings)

Access Management:

3 + (5 * unique sessions and outcomes) + (1 * authentication outcomes) + (3 * unique operations by token type) + (2 * grants by type) + (2 * types of token issued) + (2 * unique authorization evaluations)

Dynatrace Platform Subscription

In the Dynatrace Platform Subscription, metric ingestion consumes Metrics powered by Grail according to the number of ingested metric data points.

To calculate the approximate yearly consumption, apply the following calculation: <metric data points per minute> * 60 minutes * 24 hours * 365 days.

For log records, license consumption is based on the size (in bytes) of data ingested and processed, retained, and queried, so there is not a single formula to estimate the total consumption from this extension. For details on the other dimensions that affect license consumption, see Log Analytics.

Dynatrace classic license

In the classic licensing model, metric ingestion consumes Davis Data Units (DDUs) at the rate of .001 DDUs per metric data point. Multiply the above formula for annual data points by .001 to estimate annual DDU usage.

For log records:

In Log Management and Analytics, log ingestion consumes Davis Data Units (DDUs) at the rate of 100 DDUs per gigabyte of log records ingested. See DDU consumption for Log Management and Analytics for details.
In Log Monitoring Classic, log ingestion consumes Davis Data Units (DDUs) at the rate of .0005 DDUs per ingested log record. Multiply the estimated ingested log records by .0005 to estimate DDU usage from log records.

The DDU cost above does not include any possible log events or custom events that are triggered by the extension. For more information, see DDU events.

Feature sets

When activating your extension using a monitoring configuration, you can limit monitoring to one of the feature sets. To work properly, the extension has to collect at least one metric after the activation.

In highly segmented networks, feature sets can reflect the segments of your environment. Then, when you create a monitoring configuration, you can select a feature set and a corresponding ActiveGate group that can connect to this particular segment.

All metrics that aren't categorized into any feature set are considered to be the default and are always reported.

A metric inherits the feature set of a subgroup, which in turn inherits the feature set of a group. Also, the feature set defined on the metric level overrides the feature set defined on the subgroup level, which in turn overrides the feature set defined on the group level.

identity-management

Metric name	Metric key	Description
Self-service registrations	idm_selfservice_user_registration_count	Count of all successful user self-service registrations by registration type and provider
Self-service password resets	idm_selfservice_user_password_reset_count	Count of all successful user self-service password resets.
Successful logins	idm_user_login_count	Count of all successful logins by user type
Managed object operation duration	idm_managed_seconds	Duration of operations on a managed object by quantiles
Operations on a managed object	idm_managed_count	Number of operations by managed object
Managed object operation duration (overall)	idm_managed_seconds_total.count	Total duration of operations on a managed object
Repository datasource action duration	idm_repo_seconds	Duration of actions to a repository datasource for a generic/explicit mapped table by quantiles
Repository datasource actions	idm_repo_count	Count of actions to a repository datasource for a generic/explicit mapped table
Repository datasource action duration (overall)	idm_repo_seconds_total.count	Overall duration of actions to a repository datasource for a generic/explicit mapped table
Audit events	idm_audit_count	Count of all audit events generated of a given topic type
Mapping configuration duration (quantiles)	idm_sync_objectmapping_seconds	Duration of configurations applied to a mapping by quantiles
Mapping configurations	idm_sync_objectmapping_count	Number of configurations applied to a mapping
Mapping configuration duration (overall)	idm_sync_objectmapping_seconds_total.count	Total duration of configurations applied to a mapping

access-management

Metric name	Metric key	Description
Session operations	am_session_count	Session operations (e.g. 'check-exists', 'create', 'add-pll-listener')
Session operation duration (quantiles)	am_session_seconds	Duration of session opertaions (e.g. 'check-exists', 'create', 'add-pll-listener') by quantile
Session operation duration (overall)	am_session_seconds_total.count	Total duration of session operations (e.g. 'check-exists', 'create', 'add-pll-listener') by quantile
Total session lifetime	am_session_lifetime_seconds_total.count	Total session lifetime
Total session lifetime measurement count	am_session_lifetime_count	Count of measurements for total session lifetime
Authentications	am_authentication_count	Authentications by outcome (e.g. 'success', 'failure', 'timeout')
CTS total task time	am_cts_task_queue_seconds_total.count	Total time taken to perform CTS operations by type (e.g. 'create', 'read', 'delete')
CTS task queue size	am_cts_task_queue_size	Number of items waiting in a CTS queue
CTS task duration	am_cts_task_seconds	Time taken to perform CTS tasks by operation type
CTS tasks	am_cts_task_count	CTS tasks by operation type
CTS task total duration	am_cts_task_seconds_total.count	Total time taken to perform CTS tasks by opertaion type
OAuth 2.0 grant completions	am_oauth2_grant_count	OAuth 2.0 grant completions by grant type
OAuth 2.0 grant revocations	am_oauth2_grant_revoke_count	OAuth 2.0 grant revocations by grant type
OAuth 2.0 token issuances	am_oauth2_token_issue_count	OAuth 2.0 token issuances by token type
OAuth 2.0 token revocations	am_oauth2_token_revoke_count	OAuth 2.0 token revocations by token type
Policy evaluation calls	am_authorization_policy_set_evaluate_count	Policy evalutaion calls under a given policy type
Policy evaluation call duration	am_authorization_policy_set_evaluate_seconds_total.count	Policy evaluation call duration by policy set and outcome

default

Metric name	Metric key	Description
Identity Cloud availability	forgerock_identity_cloud.availability	Availability as determined by checking for OK status from the '/monitoring/health' URL

Explore in Dynatrace Hub

Extension that collects PingOne Advanced Identity Cloud (ForgeRock) data.

PingOne Advanced Identity Cloud extension

Latest Dynatrace
Extension

Extension that collects PingOne Advanced Identity Cloud (ForgeRock) data.

Get started

Overview

PingOne Advanced Identity Cloud (formerly ForgeRock Identity Cloud) is a comprehensive IAM service. This extension allows you to ingest exposed metrics and logs.

Use cases

Use metrics to monitor performance and activity within your deployment
Use audit logs to investigate user and system behavior
Use debug logs to investigate issues in production
Use metrics and log data to alert on desired events

Requirements

Advanced Identity Cloud deployment

A supported Advanced Identity Cloud deployment that exposes the following APIs is required:

Identity Cloud authentication for logs

To collect logs make sure you have an API key and secret.

Identity Cloud Prometheus monitoring for metrics

To collect metrics, Prometheus monitoring must be enabled in the Identity Cloud environment. Review the Identity Cloud documentation here for details.

Activation and setup

Find the extension in Dynatrace Hub and add it to your environment.
Add a monitoring configuration.
- These Dynatrace-related settings are required to ingest logs via the main Dynatrace API which can handle larger volumes:

Dynatrace Environment ID
Dynatrace API Token: scope must include logs.ingest
Dynatrace ActiveGate API Port: default 9999 (make sure the ActiveGate API endpoint has not been disabled)
Identity Cloud connectivity settings:
Hostname
API Key
API Secret
Audit & debug log collection interval
Log sources
Log level
Review the available feature sets to determine which you want to collect.

Details

Log events

Log events from various available sources (e.g. am-access, am-activity, idm-authentication, etc…) in the Identity Cloud logs API can be ingested. You can control the collection interval for logs.

Metrics

Licensing and costs

There is no charge to use the extension. You are only charged for the data that the extension ingests.

Identity Management:

(2 * providers * registration types) + (user types) + (3 * operations per managed object) + (3 * unique action operation and outcome) + (audit topics) + (3 * object mappings)

Access Management:

3 + (5 * unique sessions and outcomes) + (1 * authentication outcomes) + (3 * unique operations by token type) + (2 * grants by type) + (2 * types of token issued) + (2 * unique authorization evaluations)

Dynatrace Platform Subscription

In the Dynatrace Platform Subscription, metric ingestion consumes Metrics powered by Grail according to the number of ingested metric data points.

To calculate the approximate yearly consumption, apply the following calculation: <metric data points per minute> * 60 minutes * 24 hours * 365 days.

Dynatrace classic license

For log records:

In Log Management and Analytics, log ingestion consumes Davis Data Units (DDUs) at the rate of 100 DDUs per gigabyte of log records ingested. See DDU consumption for Log Management and Analytics for details.
In Log Monitoring Classic, log ingestion consumes Davis Data Units (DDUs) at the rate of .0005 DDUs per ingested log record. Multiply the estimated ingested log records by .0005 to estimate DDU usage from log records.

The DDU cost above does not include any possible log events or custom events that are triggered by the extension. For more information, see DDU events.

Feature sets

All metrics that aren't categorized into any feature set are considered to be the default and are always reported.

identity-management

Metric name	Metric key	Description
Self-service registrations	idm_selfservice_user_registration_count	Count of all successful user self-service registrations by registration type and provider
Self-service password resets	idm_selfservice_user_password_reset_count	Count of all successful user self-service password resets.
Successful logins	idm_user_login_count	Count of all successful logins by user type
Managed object operation duration	idm_managed_seconds	Duration of operations on a managed object by quantiles
Operations on a managed object	idm_managed_count	Number of operations by managed object
Managed object operation duration (overall)	idm_managed_seconds_total.count	Total duration of operations on a managed object
Repository datasource action duration	idm_repo_seconds	Duration of actions to a repository datasource for a generic/explicit mapped table by quantiles
Repository datasource actions	idm_repo_count	Count of actions to a repository datasource for a generic/explicit mapped table
Repository datasource action duration (overall)	idm_repo_seconds_total.count	Overall duration of actions to a repository datasource for a generic/explicit mapped table
Audit events	idm_audit_count	Count of all audit events generated of a given topic type
Mapping configuration duration (quantiles)	idm_sync_objectmapping_seconds	Duration of configurations applied to a mapping by quantiles
Mapping configurations	idm_sync_objectmapping_count	Number of configurations applied to a mapping
Mapping configuration duration (overall)	idm_sync_objectmapping_seconds_total.count	Total duration of configurations applied to a mapping

access-management

Metric name	Metric key	Description
Session operations	am_session_count	Session operations (e.g. 'check-exists', 'create', 'add-pll-listener')
Session operation duration (quantiles)	am_session_seconds	Duration of session opertaions (e.g. 'check-exists', 'create', 'add-pll-listener') by quantile
Session operation duration (overall)	am_session_seconds_total.count	Total duration of session operations (e.g. 'check-exists', 'create', 'add-pll-listener') by quantile
Total session lifetime	am_session_lifetime_seconds_total.count	Total session lifetime
Total session lifetime measurement count	am_session_lifetime_count	Count of measurements for total session lifetime
Authentications	am_authentication_count	Authentications by outcome (e.g. 'success', 'failure', 'timeout')
CTS total task time	am_cts_task_queue_seconds_total.count	Total time taken to perform CTS operations by type (e.g. 'create', 'read', 'delete')
CTS task queue size	am_cts_task_queue_size	Number of items waiting in a CTS queue
CTS task duration	am_cts_task_seconds	Time taken to perform CTS tasks by operation type
CTS tasks	am_cts_task_count	CTS tasks by operation type
CTS task total duration	am_cts_task_seconds_total.count	Total time taken to perform CTS tasks by opertaion type
OAuth 2.0 grant completions	am_oauth2_grant_count	OAuth 2.0 grant completions by grant type
OAuth 2.0 grant revocations	am_oauth2_grant_revoke_count	OAuth 2.0 grant revocations by grant type
OAuth 2.0 token issuances	am_oauth2_token_issue_count	OAuth 2.0 token issuances by token type
OAuth 2.0 token revocations	am_oauth2_token_revoke_count	OAuth 2.0 token revocations by token type
Policy evaluation calls	am_authorization_policy_set_evaluate_count	Policy evalutaion calls under a given policy type
Policy evaluation call duration	am_authorization_policy_set_evaluate_seconds_total.count	Policy evaluation call duration by policy set and outcome

default

Metric name	Metric key	Description
Identity Cloud availability	forgerock_identity_cloud.availability	Availability as determined by checking for OK status from the '/monitoring/health' URL

Explore in Dynatrace Hub

Extension that collects PingOne Advanced Identity Cloud (ForgeRock) data.