Device Signing Verifier node
Verifies possession of a registered bound device.
The node requires the device to sign a challenge string using the private key that corresponds to a stored public key.
The user might need to unlock their cryptography keys with biometric security — such as a fingerprint — or a PIN.
|
This node can be used in usernameless authentication flows. The ForgeRock SDKs store and provide the identity when handling the callbacks from this node. If the device has been registered by more than one user, the SDK displays a list of the registered keys to choose from on the client device. |
Compatibility
| Product | Compatible? |
|---|---|
ForgeRock Identity Cloud |
Yes |
ForgeRock Access Management (self-managed) |
Yes |
ForgeRock Identity Platform (self-managed) |
Yes |
Inputs
If you want the device to sign a particular challenge, the value must be available in shared state.
Dependencies
You can bind devices by using the Device Binding node.
Configuration
| Property | Usage |
|---|---|
Sign Random Challenge |
Specifies the node should use a random value as the challenge for signing. |
Shared state attribute for Challenge |
Specifies the node should use a value from the named attribute in shared state as the challenge for signing. |
Application IDs |
Specifies a list of Android package names and iOS bundle IDs of applications that are allowed to perform device signing verification. For example, |
Title |
Specifies a title to display to the user when asking them to bind the device. |
Sub Title |
Specifies a secondary, or subtitle to display to the user when asking them to bind the device. |
Description |
Specifies descriptive text to display to the user when asking them to bind the device. |
Timeout |
Specify the number of seconds to wait for a response from the client during binding. If the specified time is reached, evaluation continues along the |
Outcomes
-
Success -
Failure -
No Registered Device -
Key Not Found -
Unsupported(Client) -
Abort(Client) -
Timeout(Client) -
ClientNotRegistered(Client)
If the response from the device is verified as coming from a bound device, evaluation continues along the Success outcome path.
If AM cannot verify that the response was signed by a bound device, evaluation continues along the Failure outcome path.
If the user does not have any bound devices, evaluation continues along the No Registered Device outcome path. The user is determined either previously in the authentication journey, or by reading the sub claim from the response when doing usernameless flows.
If the client device cannot access the cryptography keys, or the key ID that AM requested cannot be located, evaluation continues along the relevant Key Not Found outcome path.
If the user’s client does not support the requested operation, evaluation continues along the Unsupported outcome path.
If the user cancels authentication, evaluation continues along the Abort outcome path.
If the node does not receive a response from the user’s device within the Timeout specified in the node configuration, evaluation continues along the Timeout outcome path.
If the client device does not have the keys present to be able to sign the challenge, evaluation continues along the ClientNotRegistered outcome path.