PingOne Advanced Identity Cloud extension
- Latest Dynatrace
- Extension
- Published Oct 27, 2025
Extension that collects PingOne Advanced Identity Cloud (ForgeRock) data.
Get started
Overview
PingOne Advanced Identity Cloud (formerly ForgeRock Identity Cloud) is a comprehensive IAM service. This extension allows you to ingest exposed metrics and logs.
Use cases
- Use metrics to monitor performance and activity within your deployment
- Use audit logs to investigate user and system behavior
- Use debug logs to investigate issues in production
- Use metrics and log data to alert on desired events
Requirements
Advanced Identity Cloud deployment
A supported Advanced Identity Cloud deployment that exposes the following APIs is required:
Identity Cloud authentication for logs
To collect logs make sure you have an API key and secret.
Identity Cloud Prometheus monitoring for metrics
To collect metrics, Prometheus monitoring must be enabled in the Identity Cloud environment. Review the Identity Cloud documentation here for details.
Activation and setup
-
Find the extension in Dynatrace Hub and add it to your environment.
-
Add a monitoring configuration.
- These Dynatrace-related settings are required to ingest logs via the main Dynatrace API which can handle larger volumes:
-
Dynatrace Environment ID
-
Dynatrace API Token: scope must include
logs.ingest -
Dynatrace ActiveGate API Port: default 9999 (make sure the ActiveGate API endpoint has not been disabled)
-
Identity Cloud connectivity settings:
-
Hostname
-
API Key
-
API Secret
-
Audit & debug log collection interval
-
Log sources
-
Log level
-
Review the available feature sets to determine which you want to collect.
Details
Log events
Log events from various available sources (e.g. am-access, am-activity, idm-authentication, etc…) in the Identity Cloud logs API can be ingested. You can control the collection interval for logs.
Metrics
AM and IDM expose a variety of metrics via a Prometheus endpoint which the extension will ingest. Review the feature sets at the bottom of this page for details on the metrics available. These are collected once per minute.
Licensing and cost
There is no charge for obtaining the extension, only for the data (metrics & events) that the extension ingests. The details of license consumption will depend on which licensing model you are using. This will either be Dynatrace classic licensing or the Dynatrace Platform Subscription (DPS) model.
Metrics
License consumption is based on the number of metric data points ingested. The following formula will provide approximate annual data points ingested. Note that this will be highly dependent and variable based on traffic volume and patterns in your environment. For this reason, it will likely be more meaningful to run the extension for a period of time to determine metric consumption and then multiply that to get usage for a longer period (e.g. 1 year.)
Calculation estimates yearly DDU usage:
Identity Management:
((2 * providers * registration types) + (user types) (3 * operation per mangaged object) + (3 * unique action operation and outcome) + (audit topics) + (3 * oject mappings)) * 525.6
Access Management:
(3 + (5 * unique sessions and outcomes) + (1 * authentication outcomes) + (3 * unique operations by token type) + (2 * grants by type) + (2 * types of token issued) + (2 * unique authorization evaluations)) * 525.6
Log records
Log analytics (powered by Grail)
License consumption is based on the size (in bytes) of data ingested & processed, retained, and queried so there is not a single formula to estimate the total consumption from this extension. Consult the log management and analytics documentation for details on the other dimensions that will effect license consumption.
Classic licensing
In the Dynatrace classic licensing model, log record ingestion will consume Davis Data Units (DDUs) at the rate of 100 DDUs per Gigabyte of log records ingested.
Log monitoring classic
In log monitoring classic, license consumption is based on the number of ingested log records.
Classic licensing
In the Dynatrace classic licensing model, log record ingestion will consume Davis Data Units (DDUs) at the rate of .0005 DDUs per ingested log record.
Multiply estimated ingested log records by .0005 to estimate DDU usage from log records.
Feature sets
When activating your extension using monitoring configuration, you can limit monitoring to one of the feature sets. To work properly the extension has to collect at least one metric after the activation.
In highly segmented networks, feature sets can reflect the segments of your environment. Then, when you create a monitoring configuration, you can select a feature set and a corresponding ActiveGate group that can connect to this particular segment.
All metrics that aren't categorized into any feature set are considered to be the default and are always reported.
A metric inherits the feature set of a subgroup, which in turn inherits the feature set of a group. Also, the feature set defined on the metric level overrides the feature set defined on the subgroup level, which in turn overrides the feature set defined on the group level.
access-management
| Metric name | Metric key | Description |
|---|---|---|
| Session operations | am_session_count | Session operations (e.g. 'check-exists', 'create', 'add-pll-listener') |
| Session operation duration (quantiles) | am_session_seconds | Duration of session opertaions (e.g. 'check-exists', 'create', 'add-pll-listener') by quantile |
| Session operation duration (overall) | am_session_seconds_total.count | Total duration of session operations (e.g. 'check-exists', 'create', 'add-pll-listener') by quantile |
| Total session lifetime | am_session_lifetime_seconds_total.count | Total session lifetime |
| Total session lifetime measurement count | am_session_lifetime_count | Count of measurements for total session lifetime |
| Authentications | am_authentication_count | Authentications by outcome (e.g. 'success', 'failure', 'timeout') |
| CTS total task time | am_cts_task_queue_seconds_total.count | Total time taken to perform CTS operations by type (e.g. 'create', 'read', 'delete') |
| CTS task queue size | am_cts_task_queue_size | Number of items waiting in a CTS queue |
| CTS task duration | am_cts_task_seconds | Time taken to perform CTS tasks by operation type |
| CTS tasks | am_cts_task_count | CTS tasks by operation type |
| CTS task total duration | am_cts_task_seconds_total.count | Total time taken to perform CTS tasks by opertaion type |
| OAuth 2.0 grant completions | am_oauth2_grant_count | OAuth 2.0 grant completions by grant type |
| OAuth 2.0 grant revocations | am_oauth2_grant_revoke_count | OAuth 2.0 grant revocations by grant type |
| OAuth 2.0 token issuances | am_oauth2_token_issue_count | OAuth 2.0 token issuances by token type |
| OAuth 2.0 token revocations | am_oauth2_token_revoke_count | OAuth 2.0 token revocations by token type |
| Policy evaluation calls | am_authorization_policy_set_evaluate_count | Policy evalutaion calls under a given policy type |
| Policy evaluation call duration | am_authorization_policy_set_evaluate_seconds_total.count | Policy evaluation call duration by policy set and outcome |
default
| Metric name | Metric key | Description |
|---|---|---|
| Identity Cloud availability | forgerock_identity_cloud.availability | Availability as determined by checking for OK status from the '/monitoring/health' URL |
identity-management
| Metric name | Metric key | Description |
|---|---|---|
| Self-service registrations | idm_selfservice_user_registration_count | Count of all successful user self-service registrations by registration type and provider |
| Self-service password resets | idm_selfservice_user_password_reset_count | Count of all successful user self-service password resets. |
| Successful logins | idm_user_login_count | Count of all successful logins by user type |
| Managed object operation duration | idm_managed_seconds | Duration of operations on a managed object by quantiles |
| Operations on a managed object | idm_managed_count | Number of operations by managed object |
| Managed object operation duration (overall) | idm_managed_seconds_total.count | Total duration of operations on a managed object |
| Repository datasource action duration | idm_repo_seconds | Duration of actions to a repository datasource for a generic/explicit mapped table by quantiles |
| Repository datasource actions | idm_repo_count | Count of actions to a repository datasource for a generic/explicit mapped table |
| Repository datasource action duration (overall) | idm_repo_seconds_total.count | Overall duration of actions to a repository datasource for a generic/explicit mapped table |
| Audit events | idm_audit_count | Count of all audit events generated of a given topic type |
| Mapping configuration duration (quantiles) | idm_sync_objectmapping_seconds | Duration of configurations applied to a mapping by quantiles |
| Mapping configurations | idm_sync_objectmapping_count | Number of configurations applied to a mapping |
| Mapping configuration duration (overall) | idm_sync_objectmapping_seconds_total.count | Total duration of configurations applied to a mapping |
