Limitations

The SDKs do not support authentication chains nor modules.

The FRUI module is for prototyping your UI, and is not intended for production use, as-is.

As of version 3.0, the Identity Providers supported by the SDKs for Social Login are limited to Apple, Facebook, and Google.

Displaying CAPTCHAs or using the ForgeRock Authenticator Module in your application requires the presence of the Google Play Services.

The Authenticator module of the Android SDK only supports Firebase Cloud Messaging service as a Push Notification provider.

Social Login requires AM version 7.1 or the latest version of Identity Cloud.

Calling FRUser.logout() will only sign out the session from AM but not the Social Identity Provider. Every subsequent, social login attempt will automatically log in without asking for credentials.

Biometric authentication is only supported on Android 7.0 or newer.

Biometric authentication requires AM version 7.1 or the latest version of Identity Cloud.

Biometric authentication requires the use of Google Play Services.

When a biometric dialog, such as the provide fingerprint dialog, is dismissed, the application may become unresponsive.

Biometric authentication does not distinguish individual biometrics (fingerprints or faces), but is limited to any registered for the device’s current user account.

As of version 3.0, only platform authenticators can be used for WebAuthn; roaming/USB authenticators, like Yubikey, are not currently supported.

Data encryption with Secure Enclave is only available for iOS 10+ devices with TouchID or FaceID.

DeviceCollector customization is only available in Swift.

JailbreakDetector customization is only available in Swift.

HiddenValueCallback and SuspendedTextOutputCallback are not accessible in Objective-C.

FRAuthenticator SDK is only available in Swift.

Social Login requires AM version 7.1 or the latest version of Identity Cloud.

Calling FRUser.logout() will only sign out the session from AM but not the Social Identity Provider. Every subsequent, social login attempt will automatically log in without asking for credentials.

The Google Sign-In SDK is only compatible with CocoaPods (Swift Package Manager is not supported).

Sign In With Apple is only supported in iOS 13 and above.

Biometric authentication requires AM version 7.1 or the latest version of Identity Cloud.

Biometric authentication does not distinguish between individual biometrics (fingerprints or faces), but is limited to the collection of biometrics registered for the device’s current user account.

For Biometric authentication, iOS only supports the ES256 signing algorithm, this is configured in the WebAuthn Registration node.

For "usernameless" biometric authentication support, "limit registrations" must be disabled within the WebAuthn Registration node.

As of version 3.0, only the platform authenticator can be used for WebAuthn; roaming/USB authenticators, like Yubikey, are not supported.

When resources are protected by IG, the SDK can only support transactional authorization if AM and IG are on the same origin.

FireFox doesn’t support Touch ID as a WebAuthn device on Mac therefore it limits some WebAuthn node configurations.

The SDK requires polyfills to function in IE 11 and Legacy Edge.

In WebKit for both macOS and iOS, the "Prevent Cross-site Tracking" option, which is enabled by default, can prevent the SDK from functioning when the app and AM are under different origins.

Collecting location information requires the user’s system preferences to allow browser access to location information.

IndexedDB as a token storage strategy has a known issue with Firefox Private Mode. (Use localStorage as an alternative.)

Social login with Apple requires the use of a form POST, so the "Redirect URL" cannot be an SPA as they are unable to handle a POST request; the use of the special AM endpoint explained in Set up social login is recommended.

Calling FRUser.logout() will only sign out the session from AM but not the social identity provider. Every subsequent social login attempt will automatically log in without asking for credentials.