ForgeRock Identity Cloud

FAQ: Journeys in Identity Cloud

Last updated Jan 24, 2023

The purpose of this FAQ is to provide answers to commonly asked questions regarding end user journeys in ForgeRock Identity Cloud.

Frequently asked questions 

Q. How can I collect multiple attributes in the same node where some are required and some are optional?

A. If you include multiple attributes in a single Attribute Collector node, they must all be required or all optional.

If you want attributes to have different validation options, you can use multiple Attribute Collector nodes to specify whether individual attributes are required or optional. You can then include these Attribute Collector nodes in a single Page node to present them on the same page in the end user journey.

Q. How do I know what policy will be used to validate a user's input?

A. When you use the Attribute Collector node for user input, you can choose whether the input value for an attribute is validated or not by selecting the Validate Input option. See Attribute Collector node for further information.

You can check what validation policies are defined for an attribute as follows:

  1. In the Identity Cloud admin UI, go to Native Consoles > Identity Management > Configure > Managed Objects > [Managed Object Type] and click the name of the attribute (property) you are interested in.
  2. Select the Validation tab and you will see a list of policies that have been added to the attribute. See Default policy for managed objects for further details about these policies.

Q. When is an attribute validation policy evaluated?

A. If an attribute has a validation policy attached to it, the policy will always be evaluated when there is user input, even if the attribute has been marked as optional in the Attribute Collector node. If a non-required field has data within it, the policy will be evaluated. 


If you have a Scripted Decision node that removes an attribute’s value (that is, by setting the value to null), then all policies attached to all attributes for the managed object (for example, alpha_user) will be re-evaluated when the object is updated/patched with the null value.

Q. How do I ensure a user input attribute is mandatory when I use policy validation?

A. If you are using policy validation with an Attribute Collector node, you can add the not-empty validation policy to the attribute to ensure the field cannot be left blank. 

To make an attribute mandatory:

  1. In the Identity Cloud admin UI, go to Native Consoles > Identity Management > Configure > Managed Objects > [Managed Object Type] and click the name of the attribute (property) you want to make mandatory.
  2. Select the Validation tab and click Add Policy
  3. Enter not-empty in the Policy Id field and click Add.
  1. Return to the Attribute Collector node in your journey and make the following changes to ensure policies are used which give user feedback:
    • Deselect the All Attributes Required option.
    • Select the Validate Input option.

Q. What is the session timeout for Journeys and can I change it?

A. The default session timeout for a journey is 5 minutes and you can adjust this if required:

  1. In the Identity Cloud admin UI, go to Native Consoles > Access Management > Authentication > Settings > Trees > Max duration (minutes) and enter the session timeout in minutes.
  2. Click Save Changes.

See Core authentication attributes for further information.

Q. How do I return a custom error message using the Scripted Decision node?

A. You can include the following in your script to define a custom error message:sharedState.put("errorMessage", "custom error message") outcome = "false" For example, if you would like to see a custom authentication failure response such as:{"code":401,"reason":"Unauthorized","message":"Token registration not possible"}Instead of the standard:{"code":401,"reason":"Unauthorized","message":"Login failure"} Your script would look similar to the following example:if (sharedState.get('transaction_mfa_option') != 'MFA') { logger.warning('Register Token not allowed for MFA option:' + sharedState.get('transaction_mfa_option')) sharedState.put("errorMessage", "Token registration not possible") outcome = "false" }else{ outcome = "true" }

Q. How can I reference environment-specific secret or non-secret values in a Scripted Decision node?

A. You can include environment secrets and variables (ESVs) in your scripts as detailed in Use ESVs in scripts.

Q. Can I deactivate unused journeys?

A. Yes, you can disable unused journeys as explained in the documentation: Enable and disable an authentication journey.

Q. How do I debug an end user journey?

A. In your Development environment, you can use debug mode as described here: Debug Identity Cloud end-user journeys.

If you need to debug a journey in a different environment, you can include a Scripted Decision node for debugging. See GitHub: Scripted Decision Debugger for some examples to get you started. 

You can insert a Scripted Decision node such as this at each stage of the journey that you want to debug. This node will then send script debug statements to the browser with the caught error, sharedState content or even just a simple message such as passed.


Please be aware that script debug statements will be visible to ForgeRock support, so you should ensure you do not log any personally identifiable information (PII) or any sensitive information. 

Writing scripts for end user journeys is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.  

See Also

Journeys in Identity Cloud


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.