Overview
The ForgeRock Identity Platform is the only offering for access management, identity management, user-managed access, directory services, and an identity gateway, designed and built as a single, unified platform.
These topics let you set up and configure user self-service processes using the ForgeRock Identity Platform. These processes include self-registration, login, registration using social identity providers, and additional features like progressive profile completion, password reset, and username recovery.
Start here
Learn about self-service using the ForgeRock Identity Platform.
Platform configuration
Configure the ForgeRock Identity Platform for self-service.
Self-registration
Configure user self-registration.
Social registration
Configure registration using external identity providers.
Login
Configure the user login flow to use self-service.
Progressive profile
Configure progressive profile completion.
Password reset
Configure user-driven password reset.
Username recovery
Configure user-driven username recovery.
Update password
Configure user-driven password updates.
Node reference
Reference for platform-specific authentication nodes.
|
This documentation is meant to help you familiarize yourself with using the platform for user self-service. It will provide examples of common self-service actions and introduce you to core concepts for implementing self-service. However, this documentation is not exhaustive or prescriptive. The examples provided are simply one approach, and there may be more effective approaches for your specific needs. Use the examples as a starting point to learn from. |
ForgeRock® Identity Platform serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.
The ForgeRock® Common REST API works across the platform to provide common ways to access web resources and collections of resources.
User self-service overview
User Self-Service lets your users create and manage their own accounts, while giving you control over what features are available and how they work. With the platform, this is done using authentication trees, either through the AM admin UI, or through the Platform Admin UI. Because this service uses both AM and IDM to work, it requires the platform to function.
|
While it is possible to configure authentication trees in both the AM admin UI and the Platform Admin UI, the Platform Admin UI is recommended:
One case where you may wish to use the AM admin UI instead, is to configure trees in different realms. |
Before continuing with this documentation, make sure you have successfully configured the platform. There are several methods you can use to set up the platform:
-
Configure and set up the platform using Kubernetes. More information about setting up the ForgeRock Identity Platform with Kubernetes can be found in the ForgeOps documentation.
-
Alternatively, manually configure the platform integration between AM and IDM. More information is found in Deployment overview.
This documentation references some sample authentication trees that have been created
to demonstrate various features of self-service.
Depending on your configuration method, these trees may already be included.
If they aren’t already present, or you deleted the trees and wish to re-create them,
these sample trees can found in sample-trees-7.2.0.zip included with AM.
For more information about adding these trees to the platform,
see Configure authentication trees.
|
This documentation focuses on the platform implementation of user self-service. To use the IDM-specific or AM-specific implementations, see the instructions in the IDM self-service reference and the AM user self-service documentation. |
Authentication trees and self-service
The following nodes were created specifically for use in self-service flows, although you can also use them in other authentication flows:
Since User Self-Service is built using authentication trees, nearly any authentication node included with AM can be used in your self-service flow. The following nodes are not compatible with platform-based self-service, however:
If you are using a third-party node from the ForgeRock Marketplace, check with the developer for compatibility.
The following sample trees are available:
- Registration
-
The sample Registration tree describes a basic registration flow, where the user is prompted to provide several profile attributes, then attempts to create the user and log the user in. You can find this tree in AM samples in
root/AuthTree/PlatformRegistration.json. More information is covered in User self-registration. For more information about configuring registration to include social identity providers, see Social authentication. - Login
-
The sample Login tree describes a basic login flow, where the user is prompted to provide a username and password, then passed to a progressive profile tree before being logged in. You can find this tree in AM samples in
root/AuthTree/PlatformLogin.json. More information about modifying the Login tree is covered in Login with self-service. For more information about including social identity providers in a Login tree, see Social authentication. - Progressive Profiles
-
The sample Progressive Profile tree is called by the Login tree sample. It checks the login count to see if further action is needed. If no action is required, it returns to the Login tree to complete logging in. If the specified number of logins is reached, it instead checks to see if user preferences have been set, and if not, prompts the user to set those preferences. It then returns to the Login tree to finish logging in. You can find this tree in AM samples in
root/AuthTree/PlatformProgressiveProfile.json. For more information about using progressive profiling, see Progressive profile. - Password Reset
-
The Password Reset sample tree provides a method for users to reset their password by providing their email and answering some security questions. If the questions are answered correctly, the user is emailed a password reset link, which they must click to proceed. They are then presented with a password prompt to enter a new password. You can find this tree in AM samples in
root/AuthTree/PlatformResetPassword.json. For more information, see Password reset. - Forgotten Username
-
The Forgotten Username sample tree gives users a method to recover their username by entering an email address. If the email address is associated with a user account, the account’s username will be emailed to the user. The email includes a link to log in, which will take the user through the Login tree. You can find this tree in AM samples in
root/AuthTree/PlatformForgottenUsername.json. For more information, see Username recovery. - Update Password
-
The Update Password sample tree lets users change their passwords. The tree assumes that the user has already logged in successfully. It checks the user’s session data and, if the session is valid, prompts the user to update their password. You can find this tree in AM samples in
root/AuthTree/PlatformUpdatePassword.json. For more information, see Password updates.
|
There is a small naming difference, depending on which method you used to set up the platform.
If you are using ForgeOps, the names of the trees will be as listed above.
If you manually set up the platform and are loading the trees from the AM samples,
the names will have |
Platform configuration for user self-service
Some configuration is necessary to enable self-service for the platform. Depending on your method of deployment, some or all of these steps may already be complete, but should be checked to make sure everything is set up correctly.
Most of the configuration for Self-Service is located in AM, with a few exceptions:
Configure self-service trees endpoints
AM includes a service to map authentication trees that you created to endpoints in self-service. To reach this service, from the top-level realm in AM, go to Services and select the Self Service Trees service. If the service isn’t already present, add it using the Add Service button at the top of the page.
You can add multiple endpoints to handle different behavior you want to include.
For instance, if you wanted a separate registration flow for registering devices,
you could create a tree called Device Registration,
then add a new endpoint here called device-registration, with "Device Registration" as the value.
|
The |
To delete an existing endpoint, you need to call this service’s endpoint directly, and update the treeMapping object:
curl \
--request PUT \
--header 'accept: application/json, text/javascript, /; q=0.01' \
--header 'accept-api-version: protocol=1.0,resource=1.0' \
--header 'accept-language: en-US' \
--header 'content-type: application/json' \
--header 'cookie: <omitted for length>' \
--header 'x-requested-with: XMLHttpRequest' \
--cookie '<omitted for length>' \
--data '{
"treeMapping":{
"resetPassword":"PlatformResetPassword",
"updatePassword":"PlatformUpdatePassword",
"forgottenUsername":"PlatformForgottenUsername",
"registration":"PlatformRegistration",
},
"_id":"",
"_type":{
"_id":"selfServiceTrees",
"name":"Self Service Trees",
"collection":false
}
}' \
https://default.iam.example.com/am/json/realms/root/realm-config/services/selfServiceTrees
Configure self-service policies
You can set up policies to determine how different features in self-service should behave, such as determining password requirements, or confirming that required fields have been filled out. Policies are configured in IDM. More information about using policies can be found in Use policies to validate data in the IDM documentation.
To configure which policies are applied:
-
Open the IDM admin UI, and select Configure > Managed Objects, then select the type of managed object you wish to configure (for example, User). This will take you to a list of properties which are part of that object type.
-
Select the property you wish to configure (for example,
password), then click on the Validation tab. This will list any policies currently in place. -
You can add, remove, or edit policies that are available in IDM. If you need to create a custom policy, see Extend the policy service in the IDM documentation. Note: creating custom policies is not available through the UI, though they can be set through the IDM admin UI once the policies have been created.
|
It’s possible to also set password policies within DS. If policies are set in both IDM and DS, make sure the policies match. If the DS password policy is more restrictive than the IDM policy, the user may get an error when updating their password, despite satisfying the policy set in IDM. |
Configure email for self-service
The Email Template node and Email Suspend node make use of the email service in IDM. To use email in platform self-service, this will need to be configured.
To configure email:
-
Open the IDM admin UI, then select Configure > Email Settings.
-
If the email service is not yet enabled, select Enable. It will then prompt you to fill out the settings for the email service you intend to use. For more information about configuring email, see Configure outbound email in the IDM documentation.
-
Once email service is configured, set up the email templates used in self-service by selecting the Templates tab in Email Settings. There are five templates used in default self-service flows:
-
Forgotten Username: Used in the Forgotten Username tree. When calling this template in a node, the template name is
forgottenUsername. -
Registration: This template is not used in any of the example trees, but is available if you wish to configure registration to include email verification. When calling this template in a node, the template name is
registration. -
Reset Password: Used in the Reset Password tree. When calling this template in a node, the template name is
resetPassword. -
Update Password: This template is not used in any of the example trees, but is available if you wish to configure the Update Password to include an email step. When calling this template in a node, the template name is
updatePassword. -
Welcome: This template is not used in any of the example trees, but is available if you wish to include a welcome email after the user is registered. When calling this template in a node, the template name is
welcome.
-
It is possible to set up additional email templates according to your needs. For example, you may wish to set up an email notification when the user’s password is updated. This functionality is not currently available in the UI, however.
To create a new email template:
-
In your IDM
conf/directory, create a new file calledemailTemplate-newTemplateName.json. For example, to send a password change notification when a user updates their password, createemailTemplate-changedPassword.json. -
In the new file you created, add the template information. For example, if you wanted to create an
changedPasswordemail template:{ "enabled" : true, "from" : "", "subject" : { "en" : "Password Change Notification" }, "message" : { "en" : "<html><body>Your password has just been changed.<br/> If you did not change your password, or believe you received this email in error, please contact Customer Support.</body></html>", }, "defaultLocale" : "en", "mimeType" : "text/html" }jsonNote that both
subjectandmessageare localized, and can include HTML tags allowed in HTML emails. -
Once the template has been added, you can then reference the email template in your Email Template or Email Suspend nodes using the template name (in the above example,
changedPassword).
The following nodes are associated with platform email services:
- Email Suspend node
-
The Email Suspend node emails the user using an email template that you have configured in IDM. It then pauses the tree it is used in, until it receives a response from a link the email that was sent. This can be useful in cases of registration, where you wish to include an email verification step, or in a password reset flow, where you want additional verification before proceeding with the password reset.
When using this node, make sure the email template you are using includes a resume link, so the node can continue after the email is received. This is done using the
{{object.resumeURI}}template variable. - Email Template node
-
The Email Template node emails the user using an email template that you have configured in IDM. Unlike the Email Suspend node, this node does not pause the tree. This makes it more useful for cases where you don’t need to wait for feedback from the user, such as a Welcome email, or when recovering a username.
There are two possible outcomes: either the email is successfully sent, or the email is not sent. An email might not be sent for different reasons, but most commonly because the email doesn’t exist on any known user. For security reasons, send both Email Sent and Email Not Sent the same response (Success).
User self-registration
User self-registration lets your users create their own accounts. To configure registration, your registration tree requires at least the following nodes:
-
The Platform Username node.
If you have changed the
userNameattribute to something else, you will need to configure this node to use the new attribute (for example, if you changed your configuration to use themailattribute instead). -
An Attribute Collector node, configured to collect information from the user for any attributes that are required to create a new user.
By default, required attributes include
userName,givenName,sn(short for surname), andmail(short for email). The node can collect optional attributes as well, as long as any required attributes are collected. -
The Create Object node, to actually create the user in IDM.
All other nodes are technically optional. Some are strongly encouraged; for example, if you don’t include a Platform Password node, the user won’t have a password to authenticate and log in with. Cases where the Platform Password node isn’t necessary are cases such as if you provide some other method to either authenticate (such as social identity providers), or generate a password for the user.
Nodes that present or collect information for the user are each displayed on their own page by default. To collect multiple nodes into one page, place these nodes in a Page node. There are some limitations to consider when adding nodes to a Page node:
-
Only nodes that require interaction with the user should go in a Page node.
-
There should be no more than one node with multiple possible outcomes in a Page node.
-
The Email Suspend node and the Social Provider Handler node should not be placed in a Page node.
Common nodes to have in a registration tree include:
-
The CAPTCHA node, discussed in CAPTCHA services.
-
The KBA Definition node, discussed in Security questions.
-
The Accept Terms and Conditions node, discussed in Terms and conditions.
-
The Consent Collector node, discussed in Privacy and consent.
CAPTCHA services
CAPTCHA is a way to challenge a user to verify that they are human, and includes a number of different services. Choose the CAPTCHA service that best suits your requirements. The default configuration in the platform CAPTCHA node is for Google’s reCAPTCHA service. The node has been tested for use with reCAPTCHA v2 and hCaptcha v1. Other services should work, as long as they follow a similar configuration pattern.
You will need to provide a CAPTCHA Site Key and CAPTCHA Secret Key. The rest of CAPTCHA configuration is done through the service that you are using.
Security questions
Security questions let a user provide answers to questions that can later be used to verify their identity. This process is also called Knowledge-Based Authentication (KBA).
Configuration
To configure security questions, select Security > Security Questions. From here, you can configure the questions that are presented to users, and how they should be handled.
-
Click Add Question to set additional questions for the user.
On the Add a Security Question form, select a locale, and provide the question text for that locale. When you have added the localized text for your question, click Add, then repeat for each locale. When you have completed the new question, click Done.
-
On the Settings tab, set the following:
-
Must define refers to the minimum number of security questions the user must set up during registration.
-
Must answer refers to the minimum number of questions the user must answer to satisfy a security prompt.
-
Lockout specifies the number of failed attempts to answer a security question before the user is unable to try again.
If you are using an explicit mapping for managed user objects, you must add the property name you set to your database schema and to the
objectToColumnmapping in your repository configuration file.You also need to create a new column in the
openidm.managed_usertable with the name of your new property, and a datatype ofVARCHAR.Once you deploy these security questions, you should never remove or change existing security questions, as users might have included those questions during the user self-registration process.
-
Associated nodes
There are three nodes associated with KBA:
- KBA Definition node
-
The KBA Definition node is used during registration. It prompts the user to choose security questions, and define answers to these questions for use during identity verification. The questions are selectable from a list. The list also includes an option to define their own question, if they wish.
- KBA Verification node
-
The KBA Verification node is used to verify a user’s identity using security questions, such as during a Reset Password flow. It displays the number of questions set in the Must Answer field in the Security Questions settings. If the user has defined answers for more questions than is required, which questions will be displayed are randomized.
- KBA Decision node
-
The KBA Decision node is primarily used in cases of a Progressive Profile flow, where you ensure a user has defined answers to the minimum number of questions required by the system. This can be useful if the number of questions changes, so the user can be prompted to fill out any necessary additional questions when they next log in. In this case, the KBA Decision node would be used together with the KBA Definition node; if the KBA Decision node evaluates false, the user would then be taken to the KBA Definition node.
Terms and conditions
Terms and conditions display the terms and conditions for using your service. Terms and conditions are not considered optional; users must accept the terms before they are able to progress in the account creation process.
Configuration
To set up terms and conditions:
-
Select Terms & Conditions and click + New Version.
-
Enter a version number for the new terms and conditions, then click Next.
Terms and conditions are tracked using versioning. The default placeholder set of terms and conditions has a version of
0.0, but the versioning can follow other patterns, such as dates. -
Enter the locale for which these terms and conditions apply, expressed as its ISO 639-1 code (for example,
enorfr), then click Add. -
Enter the text of your terms and conditions:
-
Terms and conditions content is formatted using Markdown. You can also use HTML formatting, which is converted into Markdown when you save or publish. See Terms and conditions content formatting.
You cannot add your own idattributes using HTML formatting, as they are stripped out when the HTML formatting is converted to Markdown. Instead, if you need to link to different parts of the terms and conditions content, you must use the formatted header IDs in the HTML output. See Link to terms and conditions content. -
Click Styles to apply additional CSS styling to the HTML that is rendered from the Markdown.
-
The text supports localization. When you have added the terms and conditions for this locale, click Locale: locale-nameˇ, then click + Add locale to add the text for another locale.
-
Click Try it out to see how your terms and conditions will appear to your users.
-
-
Save or publish the new version.
When you have published a version, the terms and conditions cannot be edited. Be sure to proofread your text before publishing. -
Click Save as Draft to save this version for future publication. You can edit a draft version.
-
Click Publish to publish this version.
Select Set as Active Version to make this the Active version of your terms and conditions. Only one version of terms and conditions can be active at a time, for each locale. Selecting this option will deactivate the currently active version, and make this version active instead.
-
Associated nodes
There are two nodes associated with terms and conditions:
- Accept Terms and Conditions node
-
The Accept Terms and Conditions node presents the user with a notice that continuing means they agree with the terms and conditions you have set, along with a link to view the terms and conditions, and a button to continue. Because this node includes a button to continue by default, it should generally be the last node in a Page node, or on its own page. It will automatically make use of the terms and conditions version that is currently active; you do not need to specify the version in the node.
- Terms and Conditions Decision node
-
The Terms and Conditions Decision node is used in Progressive Profile trees, where you wish to confirm that the user has accepted the currently active terms and conditions. If the terms and conditions version has been updated, the decision will evaluate to
false, which, when connected to the Accept Terms and Conditions node, will present the user an opportunity to accept the new terms and conditions.
Terms and conditions content formatting
The editor primarily uses Markdown to format the terms and conditions content.
You can also use HTML to add formatting to all or part of the content.
However, the HTML is only a convenient input method,
and the editor converts it to Markdown when you save or publish the content.
This strips out any attributes in your HTML formatting, including id attributes.
| Some HTML elements, such as definition lists, cannot be converted into Markdown, as there is no Markdown equivalent. These HTML elements are not converted and remain as HTML in the terms and conditions content. |
Link to terms and conditions content
To display the terms and conditions content to the end user, the UI renders it from Markdown into HTML.
When it renders the HTML output, it creates id attributes, but only on the header elements.
To create a formatted value for each id attribute, it starts with the header element value,
converts it to lower case, and then removes spaces and special characters (except underscores).
Here are some examples:
| Markdown | Formatted header ID | HTML output |
|---|---|---|
# Example 123 |
example123 |
|
# Example! |
example |
|
# Example -/=()%^&\*@£ |
example |
|
# Example_1 |
example_1 |
|
# Example -/=()%^&\*@£_ Example |
example_example |
|
To link to different parts of the terms and conditions content, you must therefore find the formatted header IDs in the HTML output and use them in your HTML anchors.
Privacy and consent
Privacy and consent, in the context of registration and self-service, refers to presenting users with information about which external resources their information may be shared with, such as sales and marketing services. The ForgeRock Identity Platform manages these connections in IDM, where consent is configured per external connection, or mapping. A mapping refers to the user’s information, mapped to related fields in an external service, which is then synchronized by IDM. For more information, see Mapping data between resources in the IDM documentation.
Configuration
To enable consent for a mapping:
-
Select Configure > Mappings, then select Edit on the mapping that you wish to configure.
-
Select the Advanced tab, then enable Enable Privacy & Consent.
|
The above steps assume you have already created at least one mapping. You can also enable privacy and consent when creating the mapping: the same Enable Privacy & Consent switch is present when you click Create Mapping during the mapping creation process. |
Associated nodes
There is one node associated with privacy and consent:
- Consent Collector node
-
The Consent Collector node presents the user with a list of all the mappings the user is affected by that have privacy and consent enabled. Each mapping can be individually selected or disabled; if you require all mappings to be allowed, there is an option in the node to make all mappings required.
The node can be used during registration or during progressive profile flows. If using this node in a progressive profile flow, you will need to use the Query Filter Decision node to check for the presence of your desired mappings in the user’s
consentedMappingsattribute.
Example registration REST output
When calling a registration self-service endpoint, you will receive a JSON object back, containing callbacks for each of the nodes included in the registration tree.
Example based on the sample Registration tree:
{
"authId": "<omitted for length>",
"callbacks": [
{
"type": "ValidatedCreateUsernameCallback",
"output": [
{
"name": "policies",
"value": {
"policyRequirements": [
"REQUIRED",
"MIN_LENGTH",
"VALID_TYPE",
"UNIQUE",
"CANNOT_CONTAIN_CHARACTERS"
],
"fallbackPolicies": null,
"name": "userName",
"policies": [
{
"policyRequirements": [
"REQUIRED"
],
"policyId": "required"
},
{
"policyRequirements": [
"REQUIRED"
],
"policyId": "not-empty"
},
{
"policyRequirements": [
"MIN_LENGTH"
],
"policyId": "minimum-length",
"params": {
"minLength": 1
}
},
{
"policyRequirements": [
"VALID_TYPE"
],
"policyId": "valid-type",
"params": {
"types": [
"string"
]
}
},
{
"policyId": "unique",
"policyRequirements": [
"UNIQUE"
]
},
{
"policyId": "no-internal-user-conflict",
"policyRequirements": [
"UNIQUE"
]
},
{
"policyId": "cannot-contain-characters",
"params": {
"forbiddenChars": [
"/"
]
},
"policyRequirements": [
"CANNOT_CONTAIN_CHARACTERS"
]
}
],
"conditionalPolicies": null
}
},
{
"name": "failedPolicies",
"value": []
},
{
"name": "validateOnly",
"value": false
},
{
"name": "prompt",
"value": "Username"
}
],
"input": [
{
"name": "IDToken1",
"value": ""
},
{
"name": "IDToken1validateOnly",
"value": false
}
],
"_id": 0
},
{
"type": "StringAttributeInputCallback",
"output": [
{
"name": "name",
"value": "givenName"
},
{
"name": "prompt",
"value": "First Name"
},
{
"name": "required",
"value": true
},
{
"name": "policies",
"value": {
"policyRequirements": [
"REQUIRED",
"VALID_TYPE"
],
"fallbackPolicies": null,
"name": "givenName",
"policies": [
{
"policyRequirements": [
"REQUIRED"
],
"policyId": "required"
},
{
"policyRequirements": [
"VALID_TYPE"
],
"policyId": "valid-type",
"params": {
"types": [
"string"
]
}
}
],
"conditionalPolicies": null
}
},
{
"name": "failedPolicies",
"value": []
},
{
"name": "validateOnly",
"value": false
},
{
"name": "value",
"value": ""
}
],
"input": [
{
"name": "IDToken2",
"value": ""
},
{
"name": "IDToken2validateOnly",
"value": false
}
],
"_id": 1
},
{
"type": "StringAttributeInputCallback",
"output": [
{
"name": "name",
"value": "sn"
},
{
"name": "prompt",
"value": "Last Name"
},
{
"name": "required",
"value": true
},
{
"name": "policies",
"value": {
"policyRequirements": [
"REQUIRED",
"VALID_TYPE"
],
"fallbackPolicies": null,
"name": "sn",
"policies": [
{
"policyRequirements": [
"REQUIRED"
],
"policyId": "required"
},
{
"policyRequirements": [
"VALID_TYPE"
],
"policyId": "valid-type",
"params": {
"types": [
"string"
]
}
}
],
"conditionalPolicies": null
}
},
{
"name": "failedPolicies",
"value": []
},
{
"name": "validateOnly",
"value": false
},
{
"name": "value",
"value": ""
}
],
"input": [
{
"name": "IDToken3",
"value": ""
},
{
"name": "IDToken3validateOnly",
"value": false
}
],
"_id": 2
},
{
"type": "StringAttributeInputCallback",
"output": [
{
"name": "name",
"value": "mail"
},
{
"name": "prompt",
"value": "Email Address"
},
{
"name": "required",
"value": true
},
{
"name": "policies",
"value": {
"policyRequirements": [
"REQUIRED",
"VALID_TYPE",
"VALID_EMAIL_ADDRESS_FORMAT"
],
"fallbackPolicies": null,
"name": "mail",
"policies": [
{
"policyRequirements": [
"REQUIRED"
],
"policyId": "required"
},
{
"policyRequirements": [
"VALID_TYPE"
],
"policyId": "valid-type",
"params": {
"types": [
"string"
]
}
},
{
"policyId": "valid-email-address-format",
"policyRequirements": [
"VALID_EMAIL_ADDRESS_FORMAT"
]
}
],
"conditionalPolicies": null
}
},
{
"name": "failedPolicies",
"value": []
},
{
"name": "validateOnly",
"value": false
},
{
"name": "value",
"value": ""
}
],
"input": [
{
"name": "IDToken4",
"value": ""
},
{
"name": "IDToken4validateOnly",
"value": false
}
],
"_id": 3
},
{
"type": "BooleanAttributeInputCallback",
"output": [
{
"name": "name",
"value": "preferences/marketing"
},
{
"name": "prompt",
"value": "Send me special offers and services"
},
{
"name": "required",
"value": true
},
{
"name": "policies",
"value": {}
},
{
"name": "failedPolicies",
"value": []
},
{
"name": "validateOnly",
"value": false
},
{
"name": "value",
"value": false
}
],
"input": [
{
"name": "IDToken5",
"value": false
},
{
"name": "IDToken5validateOnly",
"value": false
}
],
"_id": 4
},
{
"type": "BooleanAttributeInputCallback",
"output": [
{
"name": "name",
"value": "preferences/updates"
},
{
"name": "prompt",
"value": "Send me news and updates"
},
{
"name": "required",
"value": true
},
{
"name": "policies",
"value": {}
},
{
"name": "failedPolicies",
"value": []
},
{
"name": "validateOnly",
"value": false
},
{
"name": "value",
"value": false
}
],
"input": [
{
"name": "IDToken6",
"value": false
},
{
"name": "IDToken6validateOnly",
"value": false
}
],
"_id": 5
},
{
"type": "ValidatedCreatePasswordCallback",
"output": [
{
"name": "echoOn",
"value": false
},
{
"name": "policies",
"value": {
"policyRequirements": [
"REQUIRED",
"MIN_LENGTH",
"VALID_TYPE",
"AT_LEAST_X_CAPITAL_LETTERS",
"AT_LEAST_X_NUMBERS",
"CANNOT_CONTAIN_OTHERS"
],
"fallbackPolicies": null,
"name": "password",
"policies": [
{
"policyRequirements": [
"REQUIRED"
],
"policyId": "not-empty"
},
{
"policyRequirements": [
"MIN_LENGTH"
],
"policyId": "minimum-length",
"params": {
"minLength": 8
}
},
{
"policyRequirements": [
"VALID_TYPE"
],
"policyId": "valid-type",
"params": {
"types": [
"string"
]
}
},
{
"policyId": "at-least-X-capitals",
"params": {
"numCaps": 1
},
"policyRequirements": [
"AT_LEAST_X_CAPITAL_LETTERS"
]
},
{
"policyId": "at-least-X-numbers",
"params": {
"numNums": 1
},
"policyRequirements": [
"AT_LEAST_X_NUMBERS"
]
},
{
"policyId": "cannot-contain-others",
"params": {
"disallowedFields": [
"userName",
"givenName",
"sn"
]
},
"policyRequirements": [
"CANNOT_CONTAIN_OTHERS"
]
}
],
"conditionalPolicies": null
}
},
{
"name": "failedPolicies",
"value": []
},
{
"name": "validateOnly",
"value": false
},
{
"name": "prompt",
"value": "Password"
}
],
"input": [
{
"name": "IDToken7",
"value": ""
},
{
"name": "IDToken7validateOnly",
"value": false
}
],
"_id": 6
},
{
"type": "KbaCreateCallback",
"output": [
{
"name": "prompt",
"value": "Select a security question"
},
{
"name": "predefinedQuestions",
"value": [
"What's your favorite color?",
"Who was your first employer?"
]
}
],
"input": [
{
"name": "IDToken8question",
"value": ""
},
{
"name": "IDToken8answer",
"value": ""
}
],
"_id": 7
},
{
"type": "KbaCreateCallback",
"output": [
{
"name": "prompt",
"value": "Select a security question"
},
{
"name": "predefinedQuestions",
"value": [
"What's your favorite color?",
"Who was your first employer?"
]
}
],
"input": [
{
"name": "IDToken9question",
"value": ""
},
{
"name": "IDToken9answer",
"value": ""
}
],
"_id": 8
},
{
"type": "TermsAndConditionsCallback",
"output": [
{
"name": "version",
"value": "0.0"
},
{
"name": "terms",
"value": "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum."
},
{
"name": "createDate",
"value": "2019-10-28T04:20:11.320Z"
}
],
"input": [
{
"name": "IDToken10",
"value": false
}
],
"_id": 9
}
],
"header": "Sign Up",
"description": "Signing up is fast and easy.<br>Already have an account? <a href='#/service/Login'>Sign In</a>"
}Social authentication
You can configure user self-registration to include social identity providers as an option for users. This lets users register and log in to ForgeRock Identity Platform using an account they have through another trusted service.
These topics describe the high-level steps to configure social authentication.
Configure social identity providers
ForgeRock Identity Platform supports social identity providers that are OAuth 2.0 or OpenID Connect 1.0-compliant. A number of social identity providers are configured by default:
Amazon |
Apple |
|
itsme(1) |
||
Microsoft |
Salesforce |
|
VK (Vkontakte) |
||
WordPress |
Yahoo |
(1) To integrate with itsme, you must obtain an Organization Validation (OV) certificate.
You must also configure it in the container where AM runs, or in the reverse proxy offloading SSL.
You can add providers that are not configured by default, as long as these providers have a solution implemented using either OAuth 2.0, or OpenID Connect.
Add identity providers
-
Register a service in the identity provider, and keep the provider’s documentation within reach. You will use it during this procedure.
To register a service in a provider, you must at least create a client ID and add the redirection URL to ForgeRock Identity Platform.
Redirect URLs
A redirect URL is a path in ForgeRock Identity Platform (AM) to which the identity provider redirects the user on successful authentication. For example,
https://platform.example.com:8443/am.Depending on the social identity provider and on your environment, you might need to make changes to the redirect URL later.
Configure the same redirect URL in the identity provider service and in the ForgeRock Identity Platform client.
Some providers require that you enable a specific API in their service:
-
Enable the
Gmail APIin the Google Cloud Platform. - Apple
-
You must have access to the Apple Development Program (Enterprise program is not eligible), and you must enable
Sign In With Applein the Apple Developer site.
-
In the AM admin UI, go to Realms > Realm Name > Services.
-
Check if the
Social Identity Provider Serviceappears in the list of services configured for the realm.If it does not, click on Add a Service, and select
Social Identity Provider Servicefrom the drop-down list. -
Ensure that the Enabled switch is on.
-
Go to the Secondary Configurations tab.
ForgeRock Identity Platform includes scripts and configurations for several common identity providers.
-
In the Add a Secondary Configuration drop-down list, select the required identity provider.
If you do not see the required provider, select one of the following to add a custom identity provider client:
-
Client Configuration for providers that implement the OAuth2 specification
-
Client Configuration for providers that implement the OpenID Connect specification
-
-
Provide the client’s required configuration details, such as the Client ID, Client Secret (for confidential clients), the Scope Delimiter (usually an empty space), and the Redirect URL.
Redirect URLs
A redirect URL is a path in ForgeRock Identity Platform (AM) to which the identity provider redirects the user on successful authentication. For example,
https://platform.example.com:8443/am.Depending on the social identity provider and on your environment, you might need to make changes to the redirect URL later.
Configure the same redirect URL in the identity provider service and in the ForgeRock Identity Platform client.
Don’t worry if you are missing some of the details; you’ll be able to edit the configuration later, after saving the client profile for the first time.
Save your changes to access all the configuration fields for the client.
-
Provide the client’s advanced configuration details, and edit any required configuration details if needed.
Where do I find the required identity provider information?
-
Refer to the provider’s documentation.
Providers must specify their integration needs in their documentation, as well as their API endpoints.
For example, providers usually have different scopes that you can configure depending on your service’s needs.
Financial-grade providers usually also require additional security-related configuration, such as
acrvalues, PKCE-related settings, and more.Keep their documentation close while configuring the client profile.
-
Visit the provider’s
.well-knownendpoint.OAuth 2.0/OpenID Connect-compliant providers will display much of the information you need to configure the identity provider client in their
.well-knownendpoint. For example, the endpoint should expose their endpoint URLs, and the signing and encryption algorithms they support.
ForgeRock Identity Platform is preconfigured, but you must make sure the settings for the provider have not changed. Some of the most important preconfigured fields are:
-
The provider’s URLs. For example, Authentication Endpoint URL , Access Token Endpoint URL , and User Profile Service URL .
-
The OAuth Scopes field.
-
The configuration in the UI Config Properties section.
-
The script selected in the Transform Script drop-down list.
Scripts named after identity providers are suitable for most use cases. To view or edit the scripts, go to Realms > Realm Name > Scripts.
Some features require choosing algorithms from those supported by the provider, as well as creating secrets. Consider the following points before configuring the client:
-
Several capabilities in the identity provider client share the same secret IDs. For example, signing request objects and signing client authentication JWTs.
-
Every identity provider client in a realm shares the same secrets.
Therefore, ensure that you configure features requiring secrets in a way that they are compatible across clients in the same realm.
For more information, see the page about the /oauth2/connect/rp/jwk_uri endpoint.
For tips on how to configure the client, see Client configuration reference.
-
-
Save your changes.
You are ready now to Configure basic social registration trees.
|
To let AM contact Internet services through a proxy, see Configuring AM for Outbound Communication. You can control the behavior of the connection factory that AM uses as a client of the social identity providers: Client connection handler propertiesThe following advanced server properties control different aspects of the connection factory:
They have sensible defaults configured, but if you need to change them, see Advanced Properties. |
Configure basic social registration trees
There are two nodes associated with Identity Providers:
- Select Identity Provider node
-
The Select Identity Provider Node prompts the user to select a social identity provider to register or log in with, or (optionally) continue on with a local registration or login flow. When a provider is selected, the flow continues on to the Social Provider Handler node.
- Social Provider Handler node
-
The Social Provider Handler Node is used in combination with the Select Identity Provider node. It communicates with the selected provider and collects the information provided after the user has authorized the service. It then takes that information and runs a transformation script to prepare it.
ForgeRock Identity Platform includes a transformation script called Normalized Profile to Managed User, which this node uses to transform the identity object gathered from the identity provider into a ForgeRock Identity Platform object.
AM includes a transformation script called Normalized Profile to Identity, which this node uses to transform the identity object gathered from the identity provider into a user profile in AM’s identity store.
The node then queries IDM to see if the user already exists. If the user exists, they are logged in. If the user does not exist, the user will need to be created.
The node then queries the identity store available for the realm to see if the user already exists. If the user exists, they are logged in. If the user does not exist, the user will need to be created.
Set up a basic social registration tree
-
In your realm, go to Journeys.
You can create a new tree, modify an existing tree, or duplicate an existing tree.
-
Decide whether users can log in with their local credentials, and add the relevant nodes to the tree:
-
Social authentication trees allowing local authentication might look like the following:
-
Social authentication trees enforcing social authentication login might look like the following:
To configure either option, use the Include local authentication switch in the Select Identity Provider Node.
Note that, to support both local and social authentication in the same page, you must use the Page Node as shown in the example.
-
-
Configure the Social Provider Handler Node:
-
In the Transformation Script field, configure
Normalized Profile to Managed User. This script will transform the normalized identity provider’s profile object into an appropriate object that ForgeRock Identity Platform can use.Find the script in Realms > Realm Name > Scripts.
-
In Client Type , select
BROWSERwhen using the ForgeRock Identity Platform UI, or the ForgeRock SDK for JavaScript.
-
-
Configure the Required Attributes Present Node and the Create Object Node:
In the Identity Resource field, configure the relevant managed identity resource type. For example,
managed/userormanaged/alpha_user.
To check for the available managed identity resource types, go to the IDM admin UI, and open the Manage drop-down list, at the upper right corner of the screen.
Identity managed object types are preceded by the icon.
-
Configure the Attribute Collector Node adding, at least, the
mail,givenName, andsnattributes.
Configure social registration with account claiming
If your users have one or more social identity provider accounts, they can link them to the same ForgeRock Identity Platform account. For more information, see Account Claiming: Links Between Accounts and Social Identity Providers.
The following example builds on the basic social registration tree shown in Set up a basic social registration tree:
The tree uses the Identify Existing User Node to determine if the user is already registered in ForgeRock Identity Platform. By default, the node checks whether the email address associated with the account is already registered in ForgeRock Identity Platform.
Ensure that you configure the Transformation Script in the Social Provider Handler Node, and the Identity Resource field in the Patch Object Node.
See Set up a basic social registration tree for tips.
Client configuration reference
- Enabled
-
Specifies whether the provider is enabled.
Required: Yes.
- Auth ID Key
-
Specifies the attribute the social identity provider uses to identify an authenticated individual. For example,
id,sub, anduser_id.Required: Yes.
- Client ID
-
Specifies the
client_idparameter as described in section 2.2 of The OAuth 2.0 Authorization Framework specification.Required: Yes.
- Client Secret
-
Specifies the
client_secretparameter as described in section 2.3 of The OAuth 2.0 Authorization Framework specification.Required: No.
- Authentication Endpoint URL
-
Specifies the URL to the social provider’s endpoint handling authentication as described in section 3.1 of The OAuth 2.0 Authorization Framework. For example,
https://accounts.google.com/oauth2/v2/auth.Required: Yes.
- Access Token Endpoint URL
-
Specifies the URL to the endpoint handling access tokens as described in section 3.2 of The OAuth 2.0 Authorization Framework specification. For example,
https://www.googleapis.com/oauth2/v4/token.Required: Yes.
- User Profile Service URL
-
Specifies the user profile URL that returns profile information. For example,
https://www.googleapis.com/oauth2/v3/userinfo.This URL should return JSON objects in its response.
Required: No.
- Token Introspection Endpoint URL
-
Specifies the URL to the endpoint handling access token validation, as described in the OAuth 2.0 Token Introspection specification. For example,
https://oauth2.googleapis.com/tokeninfo.Required: No.
- Redirect URL
-
Specifies the URL the identity provider will redirect the user to after authenticating, as described in Section 3.1.2 of The OAuth 2.0 Authorization Framework specification.
This URL is usually a page or path in AM; for example,
https://platform.example.com:8443/am, and it is also registered in the identity provider’s service.You can also use a custom URI scheme as the redirect, if you are using an app built with the ForgeRock SDKs for Android or iOS. For example,
com.example.sdkapp:redirect_uri_pathorfrauth://com.forgerock.ios.sdkapp.When using the
FORM_POSTResponse Mode, you must specify theform_postendpoint in the redirection URL. See Response Mode for more information.Required: Yes.
- Redirect after form post URL
-
Specifies the URL of a custom login page or application. ForgeRock Identity Platform will send processed form post data related to social login authentication to that URL as the value of the
form_post_entryquery parameter.To continue the authentication journey, the custom login page is responsible for making a call to the ForgeRock Identity Platform
/json/authenticateendpoint with the authentication ID (authID) and the processed form data (form_post_entry).Configure this property when the following is true:
-
The
FORM_POSTResponse Mode is configured. -
Your users log in to ForgeRock Identity Platform using custom login pages, such as apps using the ForgeRock SDKs, instead of the ForgeRock Identity Platform UI.
Required: No.
-
- Scope Delimiter
-
Specifies the delimiter used to separate scope values. For example, a blank space (), or a comma character (,).
Most providers use a blank space.
Required: Yes.
- OAuth Scopes
-
Specifies the list of scopes to request from the provider.
The scopes that the provider returns depends on the permissions that the resource owner, such as the end user, grants to the client application.
For example, Google exposes its supported scopes in their OAuth 2.0 Scopes for Google APIs documentation.
Required: Yes.
- Client Authentication Method
-
Specifies how the client should authenticate to the provider. Possible values are:
-
CLIENT_SECRET_POST. The client sends the client ID and the secret in theclient_IDand theclient_secretparameters in the body of the request. -
CLIENT_SECRET_BASIC. The client sends the client ID and the secret in a basic authorization header with the base64-encoded value of client-id:client-secret. -
PRIVATE_KEY_JWT. The client sends its credentials to the provider in a signed JWT as specified in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants. -
ENCRYPTED_PRIVATE_KEY_JWT. The client sends its credentials to the provider in a signed, then encrypted JWT as specified in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants. -
TLS_CLIENT_AUTH. The client presents a X.509 certificate that uses public key infrastructure (PKI), as specified in the OAuth 2.0 Mutual TLS (mTLS) Client Authentication and Certificate Bound Access Tokens. -
SELF_SIGNED_TLS_CLIENT_AUTH. The client presents a X.509 self-signed certificate, as specified in the OAuth 2.0 Mutual TLS (mTLS) Client Authentication and Certificate Bound Access Tokens.Some of the authentication methods require additional configuration:
How do I configure JWT authentication with signed JWTs?
-
Obtain a list of supported signing algorithms from the provider’s
.well-knownendpoint, and decide which one you will use. -
In the Private Key JWT Signing Algorithm field, enter the signing algorithm that ForgeRock Identity Platform will use to sign the JWT. For example,
RSA256.This field may already be configured if the client is sending request objects.
-
Create a signing secret, and map it to the
am.services.oauth2.oidc.rp.jwt.authenticity.signingsecret ID in an AM secret store.The secret ID may already have secrets mapped to it if the client is sending signed request objects to the provider, or if another client in the realm is already using it.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
-
Provide a JWK with the public key to the identity provider. Refer to their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider’s service configuration, or you could configure the realm’s
/oauth2/connect/rp/jwk_uriendpoint, which exposes the client’s public keys.Configure the realm’s
/oauth2/connect/rp/jwk_uriendpoint in the provider, which exposes the client’s public keys. Refer to the provider’s documentation for more information. -
Change the value in the Private Key JWT Expiration Time (seconds) field, if needed. It has a sensible value preconfigured, but you may need to tune it for your provider.
How do I configure JWT authentication with signed and encrypted JWTs?
-
Follow the steps in How do I configure JWT authentication with signed JWTs? to configure ForgeRock Identity Platform to sign authentication JWTs.
Now you are ready to configure ForgeRock Identity Platform to encrypted authentication JWTs.
-
Obtain a list of supported encryption algorithms and methods from the provider’s
.well-knownendpoint, and decide which one you will use. -
In the JWT Encryption Algorithm field, select the encryption algorithm.
If the required encryption algorithm does not appear in the drop-down, check the reference entry for the JWT Encryption Algorithm field for information on how to add it.
This field may already be configured if the client is encrypting request objects.
-
In the JWT Encryption Method field, select the encryption method.
This field may already be configured if the client is encrypting request objects.
-
In the JWKS URI Endpoint field, configure the URI containing the provider’s public JWK set.
Obtain the URI from the provider’s
.well-knownendpoint, or their documentation.ForgeRock Identity Platform will use the JWK URI to fetch the provider’s public encryption key.
-
Perform one of the following steps depending on the encryption method you configured:
-
If you chose Direct AES Encryption method, select
NONEin the JWT Signing Algorithm field. Signing is redundant with this encryption method. -
If you chose an encryption method different from the Direct AES Encryption method, configure signing. For more information, see How do I configure JWT authentication with signed JWTs?.
-
How do I configure mTLS authentication with PKI?
-
Obtain a certificate for ForgeRock Identity Platform to use as a client. This certificate must be signed by a certificate authority (CA).
You can use the same certificate for different social identity provider client configurations, and you can only have one mTLS certificate by realm (either PKI-related, or self-signed).
-
Make the certificate available to ForgeRock Identity Platform configuring it in an AM secret store, and map its alias to the
am.services.oauth2.mtls.client.authenticationsecret ID.For example, you can create a
PKCS12keystore secret store.For more information, see Configure secret stores.
Even though the identity provider should trust the CA certificate automatically, the client certificate will appear in the /oauth2/connect/rp/jwk_uri endpoint.
How do I configure mTLS authentication with self-signed certificates?
-
Obtain a self-signed certificate that ForgeRock Identity Platform will use as a client.
You can use the same certificate for different social identity provider client configurations, and you can only have one mTLS certificate by realm (either PKI-related, or self-signed).
-
Make the certificate available to ForgeRock Identity Platform configuring it in an AM secret store, and map its alias to the
am.services.oauth2.mtls.client.authenticationsecret ID.For example, you can create a
PKCS12keystore secret store.For more information, see Configuring Secret Stores.
To trust the self-signed certificate, the social identity provider must be able to access its public key and certificate. Social identity providers may have different ways of accessing public keys; for example, you may be able to configure the public JWK directly in the provider, or you may be able to provide ForgeRock Identity Platform’s /oauth2/connect/rp/jwk_uri endpoint, which exposes it.
Refer to your social identity provider documentation for more information.
Required: Yes.
-
-
- PKCE Method
-
Specifies the PKCE transformation method ForgeRock Identity Platform uses when making requests to the provider’s authorization endpoint, as specified in Section 4.2 of the Proof Key for Code Exchange by OAuth Public Clients specification.
Select
NONEto disable PKCE transformations.Required: No.
- Request Parameter JWT Option
-
(OpenID Connect providers only) Specifies whether ForgeRock Identity Platform should provide a request object JWT to the provider. Possible values are:
-
NONE. ForgeRock Identity Platform does not send a request object to the provider. -
REFERENCE. The request object JWT is stored in AM’s CTS token store, and ForgeRock Identity Platform exposes a unique identifier for it using theoauth2/request_uriendpoint for the realm. The URL to the endpoint and the JWT’s unique identifier are passed to the provider in therequest_uriparameter of the request.Ensure that the provider can reach the endpoint.
An example of the URL is
https://platform.example.com:8443/am/realms/root/realms/myRealm/oauth2/request_uri/requestobjectIDWhen integrating with itsme, ensure that the base URL of AM contains the
443port. For example,https://platform.example.com:443/am.To do this, configure the reverse proxy or load balancer to expose the port, or the Base URL Source Service:
-
In the AM admin UI, go to Realms > Realm Name > Services.
-
Add a Base URL Source service if one is not already configured, or select it to change its properties:
-
-
VALUE. ForgeRock Identity Platform appends the JWT as the value of therequestparameter of the request.How do I configure the client to send signed request objects?
-
In the Request Parameter JWT Option field, select either
VALUEorREFERENCE.Refer to your identity provider’s documentation for more information.
-
Obtain a list of supported signing algorithms from the provider’s
.well-knownendpoint, and decide which one you will use. -
In the JWT Signing Algorithm field, select the signing algorithm that ForgeRock Identity Platform will use to sign the request object. For example,
RS256.This field may already be configured if the client is using JWT client authentication.
-
Create a signing secret that uses the algorithm you selected previously, and map it to the`am.services.oauth2.oidc.rp.jwt.authenticity.signing` secret ID in an AM secret store.
The secret ID may already have secrets mapped to it if the client is using JWT client authentication, or if another client in the realm is already using it.
For more information, see Configure secret stores, and /oauth2/connect/rp/jwk_uri.
-
Provide a JWK with the public key to the identity provider. Refer to their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider’s service configuration, or you could configure the realm’s
/oauth2/connect/rp/jwk_uriendpoint, which exposes the client’s public keys.Configure the realm’s
/oauth2/connect/rp/jwk_uriendpoint in the provider, which exposes the client’s public keys. Refer to the provider’s documentation for more information.
How do I configure the client to send signed and encrypted request objects?
-
Follow the steps in How do I configure the client to send signed request objects? to configure ForgeRock Identity Platform to send signed request objects.
Now you are ready to configure ForgeRock Identity Platform to send encrypted request objects.
-
Enable Encrypt Request Parameter JWT.
-
Obtain a list of supported encryption algorithms and methods from the provider’s
.well-knownendpoint, and decide which one you will use. -
In the JWT Encryption Algorithm field, select the encryption algorithm.
If the required encryption algorithm does not appear in the drop-down, check the reference entry for the JWT Encryption Algorithm field for information on how to add it.
This field may already be configured if the client is encrypting authentication JTWs.
-
In the JWT Encryption Method field, select the encryption method.
This field may already be configured if the client is encrypting authentication JWTs.
-
In the JWKS URI Endpoint field, configure the URI containing the provider’s public JWK set.
Obtain the URI from the provider’s
.well-knownendpoint.ForgeRock Identity Platform will use the JWK URI to fetch the provider’s public encryption key.
-
Perform one of the following steps depending on the encryption method you configured:
-
If you chose Direct AES Encryption method, select
NONEin the JWT Signing Algorithm field. Signing is redundant with this encryption method. -
If you chose an encryption method different from the Direct AES Encryption method, configure signing. For more information, see How do I configure the client to send signed request objects?.
-
-
-
- Encrypt Request Parameter JWT
-
Specifies whether the request parameter must be encrypted when Request Parameter JWT Option is set to
REFERENCEorVALUE. - ACR Values
-
(OpenID Connect providers only) Specifies a space-separated list, in order of preference, of the client’s
acrvalues.Required: No.
- Well Known Endpoint
-
(OpenID Connect providers only) Specifies the URL for retrieving information about the provider, such as endpoints, and public keys. For example,
https://accounts.google.com/.well-known/openid-configuration.Required: Yes.
- Request Object Audience
-
(OpenID Connect providers only) Specifies the intended audience (
aud) of the request object when the Request Parameter JWT Option field is set toVALUEorREFERENCE.When not configured, the value of the Issuer field will be used as the audience of the request object.
- OP Encrypts ID Tokens
-
(OpenID Connect providers only) Specifies whether the provider encrypts ID Tokens.
How do I configure the ForgeRock Identity Platform to receive encrypted tokens?
-
Obtain a list of supported ID token encryption algorithms from the provider’s
.well-knownendpoint, and decide which one the client will use. -
Create a suitable secret for the algorithm that you chose, and map it to the
am.services.oauth2.oidc.rp.idtoken.encryptionsecret ID in an AM secret store.The secret ID may already have secrets mapped if another client in the realm is already using it.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
-
Provide a JWK with the public key to the identity provider. Refer to their documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider’s service configuration, or you could configure the realm’s
/oauth2/connect/rp/jwk_uriendpoint, which exposes the client’s public keys.Configure the realm’s
/oauth2/connect/rp/jwk_uriendpoint in the provider, which exposes the client’s public keys. Refer to the provider’s documentation for more information.
Required: No.
-
- Issuer
-
(OpenID Connect providers only) Specifies the issuer of ID Tokens. Must exactly match the value returned in the ID token.
Obtain the
issuervalue from the provider’s.well-knownendpoint.Required: Yes.
- Enable Native Nonce
-
(OpenID Connect providers only) When enabled, the provider native SDK must include a
nonceclaim in the ID token. The value of the claim must be the value of thenonceclaim sent in the Authentication Request.Required: No.
- User Info Response Format
-
(OpenID Connect providers only) Specifies the format in which the provider’s
userinfoendpoint returns data.Some of the options require additional configuration:
How do I configure the client to receive signed userinfo JWTs?
-
In the JWKS URI Endpoint field, configure the URL containing the provider’s public JWK set. Obtain it from the provider’s
.well-knownendpoint, or their documentation.ForgeRock Identity Platform will use this URL to fetch the provider’s public signing key.
How do I configure the client to receive signed, then encrypted userinfo JWTs?
-
Follow the steps in How do I configure the client to receive signed userinfo JWTs? to configure ForgeRock Identity Platform to receive signed JWTs.
Now you are ready to configure ForgeRock Identity Platform to receive encrypted JWTs.
-
Obtain a list of supported ID token encryption algorithms from the provider’s
.well-knownendpoint, and decide which one the client will use. -
Create a suitable secret for the algorithm that you chose, and map it to the
am.services.oauth2.oidc.rp.idtoken.encryptionsecret ID in an AM secret store.The secret ID may already have secrets mapped if another client in the realm is already using it, or if the provider encrypts ID tokens.
For more information, see Configuring Secret Stores, and /oauth2/connect/rp/jwk_uri.
-
Provide a JWK with the public key to the identity provider. Refer to the identity provider’s documentation for more information.
For example, you could copy the contents of the public JWK in a field in the provider’s service configuration, or you could configure the realm’s
/oauth2/connect/rp/jwk_uriendpoint, which exposes the client’s public keys.Configure the realm’s
/oauth2/connect/rp/jwk_uriendpoint in the provider, which exposes the client’s public keys. Refer to the provider’s documentation for more information.
Possible values are:
-
JSON. The provider’suserinfoendpoint returns a JSON object. -
SIGNED_JWT. The provider’suserinfoendpoint returns a signed JWT. -
SIGNED_THEN_ENCRYPTED_JWT. The provider’suserinfoendpoint returns a signed, then encrypted JWT.
-
- JWKS URI Endpoint
-
Specifies the URI that contains the public keys of the identity provider. ForgeRock Identity Platform will use these keys to verify signatures, or to encrypt objects.
Configure this field when:
-
Client Authentication Method is set to
ENCRYPTED_PRIVATE_KEY_JWT. -
Encrypt Request Parameter JWT is enabled.
-
User Info Response Format is set to
SIGNED_JWTorSIGNED_THEN_ENCRYPTED_JWT.
Required: No.
-
- Claims
-
Any claims on the request object, in JSON format. These claims must conform to the claims request parameter, as defined in the OpenID Connect specification.
- JWT Signing Algorithm
-
Specifies the signing algorithm supported by the provider that ForgeRock Identity Platform use to sign the following:
-
Client authentication JWTs when Client Authentication Method is set to
PRIVATE_KEY_JWT. -
(OpenID Connect providers only) Request JWTs when Request Parameter JWT Option is set to
VALUEorREFERENCE.
Obtain a list of the supported algorithms from the provider’s
.well-knownendpoint. SelectNONEif the client will encrypt the JWT with the Direct AES Encryption method, because the signature will be redundant.
Required: No. -
- JWT Encryption Algorithm
-
Specifies the encryption algorithm supported by the provider that ForgeRock Identity Platform should use to encrypt client authentication JWTs when Client Authentication Method is set to
PRIVATE_KEY_JWT, and (OpenID Connect providers only) request JWTs when Request Parameter JWT Option is set toVALUEorREFERENCE.If set to
NONE, ForgeRock Identity Platform will not encrypt the JWTs. Obtain a list of the supported algorithms from the provider’s.well-knownendpoint. Configure the algorithms exposed in this field using the AM advanced server property, openam.private.key.jwt.encryption.algorithm.whitelist.How do I configure advanced server properties?
-
To configure advanced server properties for all instances in the AM environment, go to Configure > Server Defaults > Advanced in the AM admin UI.
-
To configure advanced server properties for a specific instance, go to Deployment > Servers > Server Name > Advanced.
If the property you want to add or edit is already configured, click on the pencil () button to edit it. When you are finished, click on the tick () button.
Save your changes.
Required: No.
-
- JWT Encryption Method
-
Specifies the encryption algorithm supported by the provider that ForgeRock Identity Platform should use to encrypt the following:
-
Client authentication JWTs when Client Authentication Method is set to
PRIVATE_KEY_JWT. -
(OpenID Connect providers only) Request JWTs when Request Parameter JWT Option is set to
VALUEorREFERENCE.
Use in conjunction with
JWT Encryption Algorithm. Obtain a list of the supported methods from the provider’s.well-knownendpoint.
Required: No. -
- Private Key JWT Expiration Time (seconds)
-
Specifies the amount of time, in seconds, that ForgeRock Identity Platform will cache the client authentication JWT before creating a new one.
Caching the JWT avoids creating a new one for every client authentication. However, it may also become invalid if the provider changes it configuration.
Required: No.
- Response Mode
-
(OpenID Connect providers only) Specify the way the provider will return ID tokens to ForgeRock Identity Platform. Possible values are:
-
DEFAULT. The provider returns the ID token as query parameters, as explained in the OpenID Connect Core 1.0 incorporating errata set 1 specification.Most preconfigured providers use the
DEFAULTresponse mode. -
FORM_POST. The provider returns the ID token by submitting an HTML form using the HTTP POST method, as explained in the OAuth 2.0 Form Post Response Mode specification.When using this response mode, add the
/oauth2/client/form_post/ClientConfigNameURI to the Redirect URL, where ClientConfigName is the name of the social identity provider client that you are configuring. For example,https://platform.example.com:8443/am/oauth2/client/form_post/myAppleClient.By default, the
form_postendpoint processes the post data, encrypts it, and redirects with it back to the authentication tree to resume authentication.However, environments using custom login pages need to configure the Redirect after form post URL property to redirect back to the custom login pages.
The
/oauth2/client/form_postdoes not require authentication. Protect it from denial of service (DoS) attacks by limiting the rate at which it can take connections in your load balancer or proxy.If you configured ForgeRock Identity Platform with AES Key Wrap encryption, you must configure the
org.forgerock.openam.encryption.useextractandexpandproperty.For more information, see Preparing AES Key Wrap Encryption.
Required: Yes.
-
- Request Native App for UserInfo
-
(Apple SSO) When enabled, this flag indicates that the native app can send the user’s
userinfoin JSON format.Apple returns the
userinfoonly once, when the user first consents to send their details, and not on subsequent authentication attempts. In addition, the user has the option not to consent to Apple sending theiruserinfo.If you are progressively profiling the
userinfowith data from other social providers (usually, using a Patch Object node), there is a risk of overwriting the user’s details with blank values when the user authenticates through Apple SSO.To mitigate this risk, you can add a Scripted Decision node to your authentication journey that assesses whether the
userinfois provided and patches the object accordingly.
The outcome of the Scripted Decision node will be either to patch the userinfo object or not to patch the userinfo
object.
If you need to progressively profile the user information on every authentication, regardless of whether the user’s first name and last name are returned by the OIDC provider, you can use another Scripted Decision node that does the following: