Gemalto Authentication Solution
Document version: 1.1 (July 2018)
Gemalto Digital Banking Mobile Suite delivers strong multi-factor authentication – including biometrics – with best-in-class security, while fulfilling banking requirements. It ensures appropriate security features, while also allowing banks to comply with regulations and to offer simple, innovative experiences that increase the digital touchpoints in online channels. Gemalto Digital Banking Mobile Suite is developed and maintained by Gemalto with banking-grade security vetted by internal and external audits.
Backed up by an large R&D team of engineers (developers, architects, testers, and security officers) who are highly skilled in mobile security, cryptography and biometric authentication, the Gemalto Digital Banking Mobile Suite benefits from a strong product development plan. It is the guarantee of a product offering which not only remains always up to date with the latest mobile evolutions and threats, but also strives to incorporate the latest innovations to deliver banks and their users with the strongest security and a smooth user experience.
These solutions are now integrated into ForgeRock Identity Platform using the Authentication Tree from ForgeRock Access Management.
For this integration, the Gemalto federation interface needs to running. It is the component that exposes Gemalto solutions via SAMLv2, OAuth 2, and OpenID Connect. A new OpenID Connect client needs to be created. The following inputs will be needed for this guide:
- OpenID Discovery URL - example:
- Client ID - entered when creating the client in Gemalto systems - example:
- Client Secret - a randomly generated secret used during the OpenID Connect exchange: example:
ForgeRock Access Management
This guide is targeting Access Management (AM) version 6.0+. It can be deployed using this set of instructions.
For ForgeRock 5.5+, please use our other guide that uses modules and chains technology.
Access Management must be able to connect to Gemalto's solution.
Create a new Authentication Tree
Authentication Tree Diagram
You can create many types of authentication tree to match your specific deployment. Below are 2 variants than can typically be used for simple setups. The integration of the Gemalto authentication solutions is done via the OAuth 2.0 node.
Quick Demo Setup
For a quick demo setup, build this flow. It uses the "Provision Dynamic Account" node, that creates temporary accounts for logged in users. Those accounts are deleted once the session expires.
For a more realistic deployment, we recommend to use this flow. It uses the "Provision IDM Account" node to permanently persist user accounts in an IDM. An IDM needs to be configured in Access Management.
Configure OAuth 2.0 node
In the authentication tree, select the OAuth 2.0 node. A form tab will open on the right. The information below shows a typcial setup.
- Node Name -
Gemalto Auth(Any name can be chosen)
- Client ID -
- Client Secret -
- Authentication Endpoint URL - Copy value from the entry authorization_endpoint in the OpenID Discovery URL web page (see the pre-requisites)
- Access Token Endpoint URL - Copy value from the entry token_endpoint in the OpenID Discovery URL web page (see the pre-requisites)
- User Profile Service URL - Copy value from the entry userinfo_endpoint in the OpenID Discovery URL web page (see the pre-requisites)
- OAuth Scope -
openid profile email
- Scope Delimiter -
(enter the space character)
- Redirect URL - Access Management redirect URL. Example: https://openam.mybank.com/openam/XUI/
- Social Provider -
Gemalto(Any name can be chosen)
- Auth ID Key -
- Use Basic Auth -
- Account Provider -
- Account Mapper -
- Attribute Mapper -
- Account Mapper Configuration -
- Attribute Mapper Configuration - Enter the following entries:
- Save Attributes in the Session -
- OAuth 2.0 Mix-Up Mitigation Enabled -
- Token Issuer - Copy value from the entry issuer in the OpenID Discovery URL web page (see the pre-requisites)
Testing your configuration
Access Management provides a quick way to test your setup at this stage.
Trigger the chain using a browser by using its service name Example: https://openam.mybank.com/openam/XUI/#login&service=GemaltoAuth
This should automatically redirect you to the Gemalto login page via an OpenID Connect redirection
- Login to the Gemalto authentication solution using one of the configured authentication method.
You should be redirected to the Access Management user portal
- Logout of the User Portal using the top right menu.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document.