Introduction to authentication
Authentication is the act of confirming a user’s identity, for example, by providing a set of credentials.
In access management, authentication is tightly coupled with authorization. Usually, it is important to confirm that a user is who they say they are, and to ensure that they can access only a subset of information.
Consider a user who wants to access an online shop. As the owner of the shop, you want to ensure the user identity is confirmed (since it is tied to their shipping and email addresses and payment information) and you also want to ensure that they can only access their own information.
With AM, you can deploy a ForgeRock web agent on the web server hosting the online shop. The agent redirects the user’s request to an AM login page, where the user enters their credentials, such as username and password. AM determines who the user is, and whether the user has the right to access the protected page. AM then redirects the user back to the protected page with authorization credentials that can be verified by the agent. The agent allows the user authorized by AM to access the page.
In the same way, you can also use AM to protect physical devices connected on the Internet of Things (IoT). For example, a delivery van tracking system could have its proxying gateway authenticate to a brokering system using an X.509 certificate to allow it to enable an HTTPS protocol and then connect to sensors in its delivery trucks. If the X.509 certificate is valid, the brokering system can monitor a van’s fuel consumption, speed, mileage, and overall engine condition to maximize each van’s operating efficiency.
AM supports authentication modules and chains and authentication nodes and trees to implement authentication.
Authentication nodes and trees are replacing authentication modules and chains. We recommend that you implement nodes and trees when possible.
AM creates an authentication session to track the user’s authentication progress through an authentication chain or tree. Once the user has authenticated, AM creates a session to manage the user’s access to resources. To learn more about sessions, see Sessions.
Multi-factor authentication (MFA) is an authentication technique that requires users to provide multiple forms of identification when logging in to AM.
Multi-factor authentication provides a more secure method for users to access their accounts with the help of a device. Note that the word device is used in this section to mean a piece of equipment that can display a one-time password or that supports push notifications using protocols supported by AM multi-factor authentication. Devices are most commonly mobile phones with authenticator apps that support the OATH protocol or push notifications, but could also include other equipment.
The following is an example scenario of multi-factor authentication in AM:
An AM administrator configures an authentication tree to capture the user’s username and password and to create one-time passwords.
An end user authenticates to AM using that authentication tree.
AM prompts the user to enter the username and password—the first factor in multi-factor authentication.
If the user ID and password were correct, AM sends the user an email with a one-time password.
The user provides the one-time password to AM to successfully complete authentication—the second factor in multi-factor authentication.
AM supports the following multi-factor authentication protocols:
MFA: Open AuTHentication (OATH) to enable one-time password authentication.
MFA: Push authentication to receive push notifications in a device as part of the authentication process.
MFA: Web Authentication (WebAuthn) to enable authentication using an authenticator device, such as a fingerprint scanner.