Creating Trees for Push Authentication and Registration
Push authentication uses authentication trees to receive push notifications and to perform the actual authentication itself.
Authentication trees can be used for passwordless authentication using push notifications. When configured for passwordless authentication, the authentication flow asks the user to enter their user ID but not their password. A push notification is then sent to their registered device to complete the authentication by using the ForgeRock Authenticator app.
Before implementing passwordless push authentication, consider the "Limitations When Using Passwordless Push Authentication".
The procedure assumes the following:
Users will provide user IDs and passwords as the first step of MFA.
A push notification will be sent to the device as a second factor to complete authentication.
The following services are configured:
- ForgeRock Authenticator (Push) Service
Specifies the attribute in which to store information about the registered Push device, and whether to encrypt the data.
For detailed information about the available properties, see "ForgeRock Authenticator (Push) Service".
- Push Notification Service
Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.
For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.
For detailed information about the available properties, see "Push Notification Service".
To create an MFA tree, perform the following steps:
In the AM console, go to Realms > Realm Name > Authentication > Trees, and create the authentication tree as follows:
Select Authentication > Trees, and then click Create Tree.
The New Tree page appears.
Specify a name of your choosing, for example
myPushTree, and then click Create.The authentication tree designer is displayed, with the Start entry point connected to the Failure exit point.
You can add nodes to the authentication tree by dragging the node from the Components panel on the left-hand side and dropping it into the designer area.
Add the following nodes to the authentication tree:
Connect the nodes as demonstrated in the following figure:
Example Push Tree (Standalone AM)
Example Push Tree (ForgeRock Identity Platform)
Save your changes.
Test your authentication tree as follows:
Log out of AM, and then navigate to a URL similar to the following:
https://openam.example.com:8443/openam/XUI/?realm=/alpha&service=myPushTree#loginA login screen prompting you to enter your user ID and password appears.
Follow the procedure described in "Testing Push Authentication" to verify that you can use the ForgeRock Authenticator app to perform MFA. If the authentication tree is correctly configured, authentication is successful and AM displays the user profile page.
The procedure assumes the following:
Users will provide only their user IDs as the first step of MFA.
This procedure assumes users have a device registered for push authentication. For more information, see the example journey in "Creating Trees for Push Authentication and Registration".
A push notification will be sent to the device as a second factor to complete authentication, without the need to enter the user's password.
The following services are configured:
- ForgeRock Authenticator (Push) Service
Specifies the attribute in which to store information about the registered Push device, and whether to encrypt the data.
For detailed information about the available properties, see "ForgeRock Authenticator (Push) Service".
- Push Notification Service
Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.
For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.
For detailed information about the available properties, see "Push Notification Service".
To create an MFA tree for passwordless authentication, perform the following steps:
In the AM console, go to Realms > Realm Name > Authentication > Trees, and create the authentication tree as follows:
Select Authentication > Trees, and then click Create Tree.
The New Tree page appears.
Specify a name of your choosing, for example
myPasswordlessAuthTree, and then click Create.The authentication tree designer is displayed, with the Start entry point connected to the Failure exit point.
You can add nodes to the authentication tree by dragging the node from the Components panel on the left-hand side and dropping it into the designer area.
Add the following nodes to the authentication tree:
Success Node
Connect the nodes as demonstrated in the following figure:
Passwordless Push Authentication Example (Standalone AM)
Passwordless Push Authentication Example (ForgeRock Identity Platform)
Save your changes.
Test your authentication tree as follows:
Log out of AM, and then navigate to a URL similar to the following:
https://openam.example.com:8443/openam/XUI/?realm=/alpha&service=myPasswordlessAuthTree/#loginA login screen prompting you to enter your user ID appears.
Follow the procedure described in "Testing Push Authentication" to verify that you can use the ForgeRock Authenticator app to perform MFA. If the authentication tree is correctly configured, authentication is successful and AM displays the user profile page, without having to enter a password.
