Enterprise Connect

Create authentication journey(s)

To enable workstation authentication integration, you need to create relevant journeys to support the MFA authentication method(s) you want. These journeys allow workstation authentication to work directly with the ForgeRock environment.

Since Enterprise Connect integrates with Identity Cloud or self-managed Access Management, the examples that follow depict the various UI changes between the two.

Example of push journey

  • Identity Cloud

  • Access Management

Create push journey in Identity Cloud
Figure 1. Push journey in Identity Cloud
When configuring the push journey in Identity Cloud, you must enable services in the AM admin UI (native console). For more information, refer to Create a push authentication journey.
Create push journey in Access Management
Figure 2. Push journey in Access Management
When configuring the push journey in Access Management, you must enable services in the AM admin UI (self managed). For more information, refer to Create a push authentication journey.

Example of OTP journey

  • Identity Cloud

  • Access Management

Create OTP journey in Identity Cloud
Figure 3. Offline OTP journey in Identity Cloud
Create OTP journey in Access Management
Figure 4. Offline OTP journey in Access Management

Example of SMS/email/voice call journey

  • Identity Cloud

  • Access Management

Create SMS/email journey in Identity Cloud
Figure 5. SMS/email/voice call journey in Identity Cloud
In the Choice Collector node, the options must be sms and email (lowercase) for the Windows Workstation Authentication MSI package to communicate properly. SMS must be the first choice, and email must be the second choice. If voice call is a method, it must be the third option in the selector, with the value voice.
Create SMS/email journey in Access Management
Figure 6. SMS/email/voice call journey in Access Management
In the Choice Collector node, the options must be sms and email (lowercase) for the Windows Workstation Authentication MSI package to communicate properly. SMS must be the first choice, and email must be the second choice. If voice call is a method, it must be the third option in the selector, with the value voice.

Example of SSO journey

  • Identity Cloud

  • Access Management

Create SSO URL journey in Identity Cloud
Figure 7. SSO URL journey in Identity Cloud

The Check for ValidSession node (shown in the image above) is the Scripted Decision node. In this example, it references a simple authentication JavaScript script:

if (typeof existingSession !== 'undefined')
{
  outcome = "hasSession";
}
else
{
  outcome = "noSession";
}
Create SSO URL journey Access Management
Figure 8. SSO URL journey in Access Management

The Check for ValidSession node (shown in the image above) is the Scripted Decision node. In this example, it references a simple authentication JavaScript script:

if (typeof existingSession !== 'undefined')
{
  outcome = "hasSession";
}
else
{
  outcome = "noSession";
}
Windows Workstation Authentication installation/configuration checklist
  • Download and install the binaries from Backstage (you must be logged in). This includes the base MSI file as well as the MSI Updater client.

  • Pre-configure the relevant journey(s).

  • Install the MSI Updater client on an administrative Windows machine.

  • Configure the MSI Updater client specific to your organization’s needs.

  • (Optional) Consider additional configurations.

  • Deploy the generated MSI file through your desired mechanism.

  • Verify and test your deployment.

Copyright © 2010-2022 ForgeRock, all rights reserved.