Enterprise Connect

Create authentication journey(s)

To enable workstation authentication integration, you need to create relevant journeys to support the MFA authentication method(s) you want. These journeys allow workstation authentication to work directly with the ForgeRock environment.

Since Enterprise Connect integrates with Identity Cloud or self-managed Access Management, the examples that follow depict the various UI changes between the two.

Do not deviate from the following journeys when you configure Enterprise Connect or use the journeys you create for any other purpose (including repurposing the journeys). You must strictly follow the placement of the nodes to ensure the product works correctly.

Failure to do so or the addition of other nodes could result in unexpected behavior.

Example of push journey

The push journeys for Enterprise Connect allow users to approve a push notification from the ForgeRock Authenticator application. End users must download the ForgeRock Authenticator application and pre-register (from another journey you define) to be able to use the push journeys.

  • Identity Cloud

  • Access Management

Create push journey in Identity Cloud
Figure 1. Push journey in Identity Cloud

If you configure Use credentials in the MSI Updater client, then you must include the Platform Password and Data Store Decision nodes. Otherwise, you must omit these nodes in your journey configuration.

When configuring the push journey in Identity Cloud, you must enable services in the AM admin UI (native console). For more information, refer to Create a push authentication journey.
Create push journey in Access Management
Figure 2. Push journey in Access Management

If you configure Use credentials in the MSI Updater client, then you must include the Platform Password and Data Store Decision nodes. Otherwise, you must omit these nodes in your journey configuration.

When configuring the push journey in Access Management, you must enable services in the AM admin UI (self managed). For more information, refer to Create a push authentication journey.

Example of OTP from authenticator app journey

The following journeys show the OTP that is presented from the ForgeRock Authenticator application. End users must download the ForgeRock Authenticator application and pre-register (from another journey you define) to be able to use the OTP journeys.

  • Identity Cloud

  • Access Management

Create OTP journey in Identity Cloud
Figure 3. Offline OTP journey in Identity Cloud

If you configure Use credentials in the MSI Updater client, then you must include the Platform Password and Data Store Decision nodes. Otherwise, you must omit these nodes in your journey configuration.

Create OTP journey in Access Management
Figure 4. Offline OTP journey in Access Management

If you configure Use credentials in the MSI Updater client, then you must include the Platform Password and Data Store Decision nodes. Otherwise, you must omit these nodes in your journey configuration.

Example of OTP SMS/email/voice call journey

The following journeys show the OTP (HOTP) that can be presented to an end user via SMS/email/voice. Ensure end users have the appropriate data in their user profile to facilitate the MFA method(s) you allow an end user to select.

  • Identity Cloud

  • Access Management

Create SMS/email journey in Identity Cloud
Figure 5. SMS/email/voice call journey in Identity Cloud

If you configure Use credentials in the MSI Updater client, then you must include the Platform Password and Data Store Decision nodes. Otherwise, you must omit these nodes in your journey configuration.

In the Choice Collector node, the options correlate to the following MFA methods within Windows Workstation Authentication:

  1. SMS

  2. Email

  3. Voice

Therefore, ensure SMS is the first choice in the node, followed by email. If voice call is a method you configure, it must be the third option.

Do not deviate from this order.

If you choose to use the voice option, you could use the Twilio nodes (you must have a valid subscription with Twilio).

Create SMS/email journey in Access Management
Figure 6. SMS/email/voice call journey in Access Management

If you configure Use credentials in the MSI Updater client, then you must include the Platform Password and Data Store Decision nodes. Otherwise, you must omit these nodes in your journey configuration.

In the Choice Collector node, the options correlate to the following MFA methods within Windows Workstation Authentication:

  1. SMS

  2. Email

  3. Voice

Therefore, ensure SMS is the first choice in the node, followed by email. If voice call is a method you configure, it must be the third option.

Do not deviate from this order.

If you choose to use the voice option, you could use the Twilio nodes (you must have a valid subscription with Twilio).

Example of SSO journey

The following journeys depict the flow that Enterprise Connect uses after a user authenticates to their workstation. The end user ForgeRock environment opens in a default browser.

If you configure the Enable SSO setting in the MSI Updater client, then this journey applies to you. In this setting, you must supply the journey URL.

An example SSO URL to enter in this field is http://<tenant-env-fqdn>/am/XUI/?realm=alpha&authIndexType=service&authIndexValue=sso-journey&ForceAuth=true.

The authIndexValue references the journey to use for SSO. Ensure to add ForceAuth=true to the end of your SSO URL.
  • Identity Cloud

  • Access Management

Create SSO URL journey in Identity Cloud
Figure 7. SSO URL journey in Identity Cloud

The Check for ValidSession node (shown in the image above) is the Scripted Decision node. In this example, it references a simple authentication JavaScript script:

if (typeof existingSession !== 'undefined')
{
  outcome = "hasSession";
}
else
{
  outcome = "noSession";
}

The Push Inner Tree (shown in the image above) is the Inner Tree Evaluator node. If the user does not have a valid session, the inner push journey is executed.

Create SSO URL journey Access Management
Figure 8. SSO URL journey in Access Management

The Check for ValidSession node (shown in the image above) is the Scripted Decision node. In this example, it references a simple authentication JavaScript script:

if (typeof existingSession !== 'undefined')
{
  outcome = "hasSession";
}
else
{
  outcome = "noSession";
}

The Push Inner Tree (shown in the image above) is the Inner Tree Evaluator node. If the user does not have a valid session, the inner push journey is executed.

Windows Workstation Authentication installation/configuration checklist
  • Download and install the binaries from Backstage (you must be logged in). This includes the base MSI file as well as the MSI Updater client.

  • Pre-configure the relevant journey(s).

  • Install the MSI Updater client on an administrative Windows machine.

  • Configure the MSI Updater client specific to your organization’s needs.

  • (Optional) Consider additional configurations.

  • Deploy the generated MSI file through your desired mechanism.

  • Verify and test your deployment.

Copyright © 2010-2023 ForgeRock, all rights reserved.