ForgeRock Authentication Node
This guide details the steps required to configure Keyless as a passwordless authentication solution for your ForgeRock instance.

Keyless Authentication Node

This integration relies on the ForgeRock OIDC Node which is available in AM6.0 or greater.

Prerequisites

As part of your onboarding process with Keyless, you should have received the following:
  • OpenID Connect Client ID
  • OpenID Connect Secret
  • OpenID Discovery URL
If you do not have one or more of these items, please reach out to [email protected].

Configuration

  1. 1.
    Create or modify a tree to use the OpenID Connect Node
​​
​
​
  1. 1.
    Enter the following values for each configuration option in the OpenID Connect Node
Field Name
Value
Authentication Endpoint URL
To be found in the provided Discovery URL
Access Token Endpoint URL
To be found in the provided Discovery URL
User Profile Service URL
To be found in the provided Discovery URL
OAuth Scope
openid email profile
Redirect URL
Depends on your deployment configuration, typically: https://your-fr-host-domain/openam/?realm=THE_REALM&service=THE_TREE
Social Provider
Keyless
Auth ID Key
sub
Use Basic Auth
enabled
Account Provider
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
Account Mapper
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
Account Mapper Configuration
email to uid
Save Attributes in the Session
enabled
Token Issuer
To be found in the provided Discovery URL
OpenID Connect Validation Type
JWK URL
OpenID Connect Validation Value
To be found in the provided Discovery URL

Testing

  1. 1.
    Open a private window in your browser.
  2. 2.
    Navigate to the login page of the realm that Keyless is configured for.
  3. 3.
    Enter your username and authenticate with Keyless on your mobile device (make sure to use a user that is enrolled to Keyless)
  4. 4.
    You should now be logged into the ForgeRock portal.