Documentation Hub
Workforce
Why Keyless?Start HereMobile SDKWeb SDKWorkforceIDV BridgeUser GuideAdmin portalOn-Premise
Workforce
Why Keyless?Start HereMobile SDKWeb SDKWorkforceIDV BridgeUser GuideAdmin portalOn-Premise
  • Keyless Integrations Docs
  • ✅Prerequisites
  • IAM and SSO Integrations
    • Overview
    • Okta
      • Account Linking Config
      • Identity Provider Config
    • Microsoft AD FS
      • Prerequisites
      • Integration
      • Authentication
      • Troubleshooting
    • AWS Cognito
    • Auth0
    • ForgeRock
      • ForgeRock Authentication Node
      • Forgerock Identity Cloud
    • OneLogin
    • Ping Identity
      • PingOne SSO
    • Microsoft Entra ID
    • Salesforce
  • Post Integration
    • 🏁Post Integration
      • 📢Employee Onboarding
        • Prerequisites
        • Email Templates
      • 🎧Admin Onboarding
        • Common Terms
        • Enrollment and Activation
        • Authentication
        • Troubleshooting and Support
Powered by GitBook
On this page
  • Authentication: Configure Social Identity Provider
  • Keyless Enrollment: OIDC SP/RP Configuration
  • Keyless Enrollment
  • Keyless Authentication

Was this helpful?

  1. IAM and SSO Integrations
  2. ForgeRock

Forgerock Identity Cloud

The following guide takes you through the process of enabling passwordless biometric authentication on Forgerock Identity Cloud to provide enhanced passwordless authentication experience to users

Last updated 6 months ago

Was this helpful?

Keyless and Forgerock have partnered to deliver true passwordless authentication for the workforce and for consumers.

This document provides a step-by-step introduction for configuring Forgerock to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider (Social Identity Provider) for Forgerock Identity Cloud.

Authentication: Configure Social Identity Provider

All configuration will be performed on Forgerock Identity Cloud Platform Admin Console.

  1. Log on to Forgerock Identity Cloud Platform Admin console for your tenant:

  2. From Platform Admin Console Dashboard select the realm we will be doing this configuration for, and navigate to Native Consoles -> Access Management

  3. From Dashboard click on Services tile and click on Social Identity Provider Service Link

  4. Click on Secondary Configurations tab and click on Add a Secondary Configuration dropdown select OIDC Provider

  5. Select a name for out IdP client configuration: the table below provides a list on configuration items that need to be filled in

Paramaeter
Description
Example

Name

Select a naem from Social IdP configuration

Keyless

Auth ID Key

OIDC claim that identifies the user

sub

Client ID

OIDC Client ID: Provided by Keyless

-

Client Secret

OIDC Client Secret: Provided by keyless

-

Well Known Endpoint

OIDC discovery URL: provided by Keyless

https://\<my-keyless-tenant-fqdn>/.well-known/openid-configuration

Issuer

OIDC Issuer URL: provided by Keyless

https://\<my-keyless-tenant-fqdn>

Client Authentication Method

Authentication method for OIDC Client

CLIENT_SECRET_POST

PKCE Method

OIDC PKCE coonfiguration

S256

Response Mode

OIDC Response mode

form_post

Oauth Scopes

OIDC/OAuth scope parameter

openid profile email

Scope Delimiter

Scope delimiter

<\<single-space-character>>

OIDC Endpoints

Authorization, token, userinfo, JWKS endpoints: these are all provided by Keyless, also can be retrieved from the OIDC Discovery URL provided.

https://\<my-keyless-tenant>/connect/authorize

Redirect URL

OIDC redirect from Keyless IDP on completion of authentication. This will depend on our realm and the name of our Social IdP we chose at the very top of this table

https://<\<my-forgerock-tennant>>/am/oauth2/realms/root/realms/<\<my-realm-name>>/client/form_post/<\<Social-IDP-Name>>_

UI Config Properties

Add a property: buttonDisplayName

Keyless

Add a property:

(URL for the value is provided by Keyless)

buttonImage

https://\<my-keyless-tenant>/static.keyless.svg

Transform Script

Script to transform/normalize the incoming cliams from Keyless IDP

We'll provide a sample script, to do just that, for initial configuration we can choose an existing script from the dropdown list of canned scripts.

  1. ensure that we click the Save button to save our IdP configuration and click enabled toggle button on top to have our IdP configuration active/enabled

  2. Following is a sample normalization script (groovy) for our Keyless Social IdP

    // Normalization script for Keyless Social IdP
import static org.forgerock.json.JsonValue.field
import static org.forgerock.json.JsonValue.json
import static org.forgerock.json.JsonValue.object

return json(object(
field("mail", rawProfile.preferred_username),
field("alias",selectedIdp + '-' +
    rawProfile.preferred_username.asString() ),
))

  3. Next we'll need to configure an authentication Tree to enable our Social authentication: from realm dashboard select Authentication --> Trees --> Create Tree and provide a name: e.g. KeylessAuth

  4. At this point you can access Forgerock Identity Cloud end user dashboard: you'll be prompted to authenticate with Keyless (as Keyless is the only authentication mechanism configured in this specific Auth tree as shown above)

    https://<my-forgerock-tenant>/am/XUI/?realm=/<my-realm-name>\&authIndexType=service\&authIndexValue=<my-Auth-Tree-Name>#/

  5. Here's an alternative sample auth tree that provides options for both password based & Keyless (passwordless) authentication

Keyless Enrollment: OIDC SP/RP Configuration

For enrollment with Keyless we'll need to create a new Application on Forgerock Identity Cloud for Keyless OIDC Service provider.

  1. From our realm dashboard select Applications --> OAuth 2.0 --> Clients --> Add Client

  2. Fill in the information required as described below:

    • Client ID: Provide a client ID: e.g. KeylessEnrollmentClient,

    • Client Secret: generate a client secret

      • If ClientID & Secret is provided by Keyless (that is enrollment service has already been created for you by Keyless) we'll be using those to populate the parameters above.

      • If we are creating our own ClientID & Client Secret then, both ClientID & Secret need to be sent back to Keyless for configuration on the Keyless Enrollment service.

    • Redirection URIs: A list of redirection URIs for your Keyless tenant has been provided by Keyless

    • Scope & Default Scope enter the following: openid profile cn mail

  3. Click Create button and continue

  4. Click on Advanced tab and configure the following:

    • Grant Types select : Authorization_Code & Implicit

    • Token Endpoint AUthentication Method select: client_s__s_ecret_post_

    • Custom Properties type in the following: preferred_username=mail

  5. Click on OIDC tab and configure the following

    • Client Session URI: this is provided by Keyless

    • Post Logout Redirect URI: this is provided by Keyless

    • Backchannel Logout URI: this is provided by Keyless

    • Post Logout Redirect URI: this is configured based on our realm name e.g. https://<\<forgerock-tenant>>/enduser/?realm=<\<realm-name>>#/dashboard

  6. Click Save and that completes OIDC client configuration.

If we are creating our own ClientID & Client Secret then, both ClientID & Secret need to be sent back to Keyless for configuration on the Keyless Enrollment service

Keyless Enrollment

After completing the configuration steps above to configure Keyless OIDC SP/RP for enrollment we can now enrol for Keyless authentication

  1. From a browser navigate to Keyless enrollment URL provided by Keyless

  2. Authenticate using your credentials for Forgerock Identity Cloud

  3. Browser will get redirected to Keyless enrollment page

  4. Download Keyless authenticator app on your mobile device from AppStore or Google play

  5. Scan the QR code displayed on Keyless enrolement page with your mobile device to complete Keyless enrollment

Keyless Authentication

From a browser navigate to an application secured via Forgerock Identity Cloud SSO solution. For example Forgerock Identity Cloud end user dashboard: https://>/am/XUI/?realm=/<>\&authIndexType=service\&authIndexValue=<>#/

  1. Click on Continue with Keyless button

  2. Provide your email enrolled with Keyless already

  3. You'll receive a notification on you mobile device to complete biometic authentication using Keyless

🏁Post Integration
Click on Service Management Tile
Click on Social Identity Provider Service link
Client configuration for OIDC Provider
Choose a name from Social IdP
Sample Authentication Tree; KeylessAuth
Keyless Authentication Page
Auth tree with Keyless & password option
Logon Page with both Options
Create an OIDC client for Keyless Enrollment
New OIDC Client configuration
OIDC Client configuration
Advanced Tab configurations
Keyless Authentication