Creating Chains for Push Authentication

Push authentication uses two separate authentication modules:

  • A module to register a device to receive push notifications called ForgeRock Authenticator (Push) Registration.

  • A module to perform the actual authentication itself, called ForgeRock Authenticator (Push).

You can insert both modules into a single chain to register devices and then authenticate with push notifications. See "To Create a Chain for Push Authentication".

The ForgeRock Authenticator (Push) module can also be used for passwordless authentication using push notifications. If the module is placed at the start of a chain, it will ask the user to enter their user ID, but not their password. A push notification is then sent to their registered device to complete the authentication by using the ForgeRock Authenticator app.

Before implementing passwordless push authentication, consider the "Limitations When Using Passwordless Push Authentication".

To Create a Chain for Push Authentication

The procedure assumes the following:

  • Users will provide user IDs and passwords as the first step of multi-factor authentication.

  • If the user does not have a device registered to receive push notifications, they will be asked to register a device. After successfully registering a device for push, authentication will proceed to the next step.

  • A push notification will be sent to the device as a second factor to complete authentication.

  • The following services are configured:

    ForgeRock Authenticator (Push) Service

    Specifies the attribute in which to store information about the registered Push device, and whether to encrypt the data.

    For detailed information about the available properties, see "ForgeRock Authenticator (Push) Service".

    Push Notification Service

    Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.

    For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.

    For detailed information about the available properties, see "Push Notification Service".

To create a multi-factor authentication chain that uses the ForgeRock Authenticator (Push) Registration and ForgeRock Authenticator (Push) modules, perform the following steps:

  1. Log in to the AM console as an AM administrator, for example amAdmin.

  2. Select the realm that will contain the authentication chain.

  3. Create a ForgeRock Authenticator (Push) Registration authentication module as follows:

    1. Select Authentication > Modules, and then click Add Module.

      The New Module page appears.

    2. Fill in fields in the New Module page as follows:

      • Name: Specify a module name of your choosing, for example push-reg.

      • Type: Select ForgeRock Authenticator (Push) Registration.

    3. Click Create.

      A page that lets you configure the authentication module appears.

    4. Configure the module to meet your organization's requirements.

      For more information about the authentication module's configuration settings, see "ForgeRock Authenticator (Push) Registration Authentication Module".

  4. Create a ForgeRock Authenticator (Push) authentication module as follows:

    1. Select Authentication > Modules, and then click Add Module.

      The New Module page appears.

    2. Fill in fields in the New Module page as follows:

      • Name: Specify a module name of your choosing, for example push-authn.

      • Type: Select ForgeRock Authenticator (Push).

    3. Click Create.

      A page that lets you configure the authentication module appears.

    4. Configure the module to meet your organization's requirements.

      For more information about the authentication module's configuration settings, see "ForgeRock Authenticator (Push) Authentication Module".

  5. Create the authentication chain as follows:

    1. Select Authentication > Chains, and then click Add Chain.

      The Add Chain page appears.

    2. Specify a name of your choosing, for example myPushAuthChain, and then click Create.

      A page appears with the Edit Chain tab selected.

    3. Add the Data Store authentication module to the authentication chain as follows:

      1. Click Add a Module.

        The New Module dialog box appears.

      2. Fill in the New Module dialog box, specifying the Data Store authentication module. For this example, specify the Requisite flag.

      3. Click OK.

        The graphic showing your authentication chain now includes a Data Store authentication module.

    4. Add the ForgeRock Authenticator (Push) Registration authentication module to the authentication chain as follows:

      1. Click Add a Module.

        The New Module dialog box appears.

      2. Fill in the New Module dialog box, specifying the ForgeRock Authenticator (Push) Registration authentication module that you just created. For this example, specify the Requisite flag.

      3. Click OK.

        The graphic showing your authentication chain now includes a Data Store, and a ForgeRock Authenticator (Push) Registration authentication module.

    5. Add the ForgeRock Authenticator (Push) authentication module to the authentication chain as follows:

      1. Click Add a Module.

        The New Module dialog box appears.

      2. Fill in the New Module dialog box, specifying the ForgeRock Authenticator (Push) authentication module that you created. For this example, specify the Required flag.

      3. Click OK.

        The graphic showing your authentication chain now includes a Data Store, a ForgeRock Authenticator (Push) Registration, and a ForgeRock Authenticator (Push) authentication module.

      An authentication chain setup for Push authentication.

    6. Save your changes.

  6. Test your authentication chain as follows:

    1. Logout of AM, and then navigate to a URL similar to the following: https://openam.example.com:8443/openam/XUI/?realm=/&service=myPushAuthChain#login

      A login screen prompting you to enter your user ID and password appears.

    2. Follow the procedure described in "Testing Push Authentication" to verify that you can use the ForgeRock Authenticator app to perform multi-factor authentication. If the chain is correctly configured, authentication is successful and AM displays the user profile page.

To Create a Chain for Push Registration and Passwordless Authentication

The procedure assumes the following:

  • Users will provide only their user IDs as the first step of multi-factor authentication.

  • The user already has a device registered for receiving push notifications. For details of an authentication chain which can register a device for push notifications, see "To Create a Chain for Push Authentication".

  • A push notification will be sent to the device as a second factor, to complete authentication without the need to enter a password.

  • The following services are configured:

    ForgeRock Authenticator (Push) Service

    Specifies the attribute in which to store information about the registered Push device, and whether to encrypt the data.

    For detailed information about the available properties, see "ForgeRock Authenticator (Push) Service".

    Push Notification Service

    Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.

    For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.

    For detailed information about the available properties, see "Push Notification Service".

To create a multi-factor authentication chain that uses the ForgeRock Authenticator (Push) module for passwordless authentication, perform the following steps:

  1. Log in to the AM console as an AM administrator, for example amAdmin.

  2. Select the realm that will contain the authentication chain.

  3. Create the authentication chain as follows:

    1. Select Authentication > Chains, and then click Add Chain.

      The Add Chain page appears.

    2. Specify a name of your choosing, for example myPasswordlessAuthChain, and then click Create.

      A page appears with the Edit Chain tab selected.

    3. Add the ForgeRock Authenticator (Push) authentication module to the authentication chain as follows:

      1. Click Add a Module.

        The New Module dialog box appears.

      2. Fill in the New Module dialog box, specifying the ForgeRock Authenticator (Push) authentication module that you created. For this example, specify the Requisite flag.

      3. Click OK.

        The graphic showing your authentication chain now includes a ForgeRock Authenticator (Push) authentication module.

      An authentication chain setup for passwordless push authentication.

    4. Save your changes.

  4. Test your authentication chain as follows:

    1. Logout of AM, and then navigate to a URL similar to the following: https://openam.example.com:8443/openam/XUI/?realm=/#login/&service=myPasswordlessAuthChain

      A login screen prompting you to enter your user ID appears.

    2. Follow the procedure described in "Testing Push Authentication" to verify that you can use the ForgeRock Authenticator app to perform multi-factor authentication. If the chain is correctly configured, authentication is successful and AM displays the user profile page, without having to enter a password.

Read a different version of :