ForgeRock Developer Experience

Configure biometric authentication journeys

To use mobile biometrics with the ForgeRock SDK for iOS configure the authentication nodes in your journeys as follows:

  1. In each WebAuthn Registration node and WebAuthn Authentication node:

    • Ensure the Return challenge as JavaScript option is not enabled.

      The SDK expects a JSON response from these nodes; enabling the Return challenge as JavaScript option would cause the journey to fail.

    • Set the Relying party identifier option to be the domain hosting the apple-app-site-association file; for example,

      You do not need the protocol or the path.

    • To enable passkey support, enable Username to device in the WebAuthn Registration node, and Username from device in the WebAuthn Authentication node.

  2. In each WebAuthn Registration node:

    • Set the Authentication attachment option to either UNSPECIFIED or PLATFORM.

    • Ensure the Accepted signing algorithms option includes ES256.

    • Ensure the Limit registrations option is not enabled.

Configure origin domains

To enable WebAuthn on iOS devices, you must configure the nodes with a specially-formatted string containing the bundle identifier of your application, which you can find in XCode, on the Signing & Capabilities tab of your apps target page:

ios bundle id en
Figure 1. Bundle identifier field in XCode

Prefix this value with the string ios:bundle-id:. For example:


To enable passkey support, add the fully-qualified domain name of the Identity Cloud or AM instance as an origin domain. For example,

Add these values to the Origin domains property in each WebAuthn Registration node and WebAuthn Authentication node in the journey.

Copyright © 2010-2024 ForgeRock, all rights reserved.