Creating Chains for Push Authentication
Push authentication uses two separate authentication modules:
A module to register a device to receive push notifications called ForgeRock Authenticator (Push) Registration.
A module to perform the actual authentication itself, called ForgeRock Authenticator (Push).
You can insert both modules into a single chain to register devices and then authenticate with push notifications. See "To Create a Chain for Push Authentication".
The ForgeRock Authenticator (Push) module can also be used for passwordless authentication using push notifications. If the module is placed at the start of a chain, it will ask the user to enter their user ID, but not their password. A push notification is then sent to their registered device to complete the authentication by using the ForgeRock Authenticator app.
Before implementing passwordless push authentication, consider the "Limitations When Using Passwordless Push Authentication".
The procedure assumes the following:
Users will provide user IDs and passwords as the first step of MFA.
If the user does not have a device registered to receive push notifications, they will be asked to register a device. After successfully registering a device for push, authentication will proceed to the next step.
A push notification will be sent to the device as a second factor to complete authentication.
The following services are configured:
- ForgeRock Authenticator (Push) Service
Specifies the attribute in which to store information about the registered Push device, and whether to encrypt the data.
For detailed information about the available properties, see "ForgeRock Authenticator (Push) Service".
- Push Notification Service
Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.
For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.
For detailed information about the available properties, see "Push Notification Service".
To create an MFA chain that uses the ForgeRock Authenticator (Push) Registration and ForgeRock Authenticator (Push) modules, perform the following steps:
In the AM console, select the realm that will contain the authentication chain.
Create a ForgeRock Authenticator (Push) Registration authentication module as follows:
Select Authentication > Modules, and then click Add Module.
The New Module page appears.
Fill in fields in the New Module page as follows:
Name: Specify a module name of your choosing, for example push-reg.
Type: Select ForgeRock Authenticator (Push) Registration.
Click Create.
A page that lets you configure the authentication module appears.
Configure the module to meet your organization's requirements.
For more information about the authentication module's configuration settings, see "ForgeRock Authenticator (Push) Registration Authentication Module".
Create a ForgeRock Authenticator (Push) authentication module as follows:
Select Authentication > Modules, and then click Add Module.
The New Module page appears.
Fill in fields in the New Module page as follows:
Name: Specify a module name of your choosing, for example push-authn.
Type: Select ForgeRock Authenticator (Push).
Click Create.
A page that lets you configure the authentication module appears.
Configure the module to meet your organization's requirements.
For more information about the authentication module's configuration settings, see "ForgeRock Authenticator (Push) Authentication Module".
Create the authentication chain as follows:
Select Authentication > Chains, and then click Add Chain.
The Add Chain page appears.
Specify a name of your choosing, for example
myPushAuthChain
, and then click Create.A page appears with the Edit Chain tab selected.
Add the Data Store authentication module to the authentication chain as follows:
Click Add a Module.
The New Module dialog box appears.
Fill in the New Module dialog box, specifying the Data Store authentication module. For this example, specify the
Requisite
flag.Click OK.
The graphic showing your authentication chain now includes a Data Store authentication module.
Add the ForgeRock Authenticator (Push) Registration authentication module to the authentication chain as follows:
Click Add a Module.
The New Module dialog box appears.
Fill in the New Module dialog box, specifying the ForgeRock Authenticator (Push) Registration authentication module that you just created. For this example, specify the
Requisite
flag.Click OK.
The graphic showing your authentication chain now includes a Data Store, and a ForgeRock Authenticator (Push) Registration authentication module.
Add the ForgeRock Authenticator (Push) authentication module to the authentication chain as follows:
Click Add a Module.
The New Module dialog box appears.
Fill in the New Module dialog box, specifying the ForgeRock Authenticator (Push) authentication module that you created. For this example, specify the
Required
flag.Click OK.
The graphic showing your authentication chain now includes a Data Store, a ForgeRock Authenticator (Push) Registration, and a ForgeRock Authenticator (Push) authentication module.
Save your changes.
Test your authentication chain as follows:
Log out of AM, and then navigate to a URL similar to the following:
https://openam.example.com:8443/openam/XUI/?realm=/&service=myPushAuthChain#login
A login screen prompting you to enter your user ID and password appears.
Follow the procedure described in "Testing Push Authentication" to verify that you can use the ForgeRock Authenticator app to perform MFA. If the chain is correctly configured, authentication is successful and AM displays the user profile page.
The procedure assumes the following:
Users will provide only their user IDs as the first step of MFA.
The user already has a device registered for receiving push notifications. For details of an authentication chain which can register a device for push notifications, see "To Create a Chain for Push Authentication".
A push notification will be sent to the device as a second factor, to complete authentication without the need to enter a password.
The following services are configured:
- ForgeRock Authenticator (Push) Service
Specifies the attribute in which to store information about the registered Push device, and whether to encrypt the data.
For detailed information about the available properties, see "ForgeRock Authenticator (Push) Service".
- Push Notification Service
Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.
For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.
For detailed information about the available properties, see "Push Notification Service".
To create an MFA chain that uses the ForgeRock Authenticator (Push) module for passwordless authentication, perform the following steps:
In the AM console, select the realm that will contain the authentication chain.
Create the authentication chain as follows:
Select Authentication > Chains, and then click Add Chain.
The Add Chain page appears.
Specify a name of your choosing, for example myPasswordlessAuthChain, and then click Create.
A page appears with the Edit Chain tab selected.
Add the ForgeRock Authenticator (Push) authentication module to the authentication chain as follows:
Click Add a Module.
The New Module dialog box appears.
Fill in the New Module dialog box, specifying the ForgeRock Authenticator (Push) authentication module that you created. For this example, specify the
Requisite
flag.Click OK.
The graphic showing your authentication chain now includes a ForgeRock Authenticator (Push) authentication module.
Save your changes.
Test your authentication chain as follows:
Log out of AM, and then navigate to a URL similar to the following:
https://openam.example.com:8443/openam/XUI/?realm=/#login/&service=myPasswordlessAuthChain
A login screen prompting you to enter your user ID appears.
Follow the procedure described in "Testing Push Authentication" to verify that you can use the ForgeRock Authenticator app to perform MFA. If the chain is correctly configured, authentication is successful and AM displays the user profile page, without having to enter a password.