This guide details the steps required to configure Keyless as a passwordless authentication solution for your ForgeRock instance.
This integration relies on the ForgeRock OIDC Node which is available in AM6.0 or greater.
As part of your onboarding process with Keyless, you should have received the following:
OpenID Connect Client ID
OpenID Connect Secret
OpenID Discovery URL
If you do not have one or more of these items, please reach out to support@keyless.io.
Create or modify a tree to use the OpenID Connect Node
Enter the following values for each configuration option in the OpenID Connect Node
Open a private window in your browser.
Navigate to the login page of the realm that Keyless is configured for.
Enter your username and authenticate with Keyless on your mobile device (make sure to use a user that is enrolled to Keyless)
You should now be logged into the ForgeRock portal.
Field Name
Value
Authentication Endpoint URL
To be found in the provided Discovery URL
Access Token Endpoint URL
To be found in the provided Discovery URL
User Profile Service URL
To be found in the provided Discovery URL
OAuth Scope
openid email profile
Redirect URL
Depends on your deployment configuration, typically: https://your-fr-host-domain/openam/?realm=THE_REALM&service=THE_TREE
Social Provider
Keyless
Auth ID Key
sub
Use Basic Auth
enabled
Account Provider
org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
Account Mapper
org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
Account Mapper Configuration
email to uid
Save Attributes in the Session
enabled
Token Issuer
To be found in the provided Discovery URL
OpenID Connect Validation Type
JWK URL
OpenID Connect Validation Value
To be found in the provided Discovery URL
This guide details the steps required to configure Keyless as a passwordless authentication solution for your ForgeRock instance.
The following guide takes you through the process of enabling passwordless biometric authentication on Forgerock Identity Cloud to provide enhanced passwordless authentication experience to users
Keyless and Forgerock have partnered to deliver true passwordless authentication for the workforce and for consumers.
This document provides a step-by-step introduction for configuring Forgerock to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider (Social Identity Provider) for Forgerock Identity Cloud.
Following is a short video to demonstrate Keyless authentication experience to Forgerock Identity Cloud.
All configuration will be performed on Forgerock Identity Cloud Platform Admin Console.
Log on to Forgerock Identity Cloud Platform Admin console for your tenant:
From Platform Admin Console Dashboard select the realm we will be doing this configuration for and navigate to Native Consoles --> Access Management
From Dashboard click on Services tile and click on Social Identity Provider Service Link
Click on Secondary Configurations tab and click on Add a Secondary Configuration dropdown select OIDC Provider
Select a name for out IdP client configuration: the table below provides a list on configuration items that need to be filled in
ensure that we click the Save button to save our IdP configuration and click enabled toggle button on top to have our IdP configuration active/enabled
Following is a sample normalization script (groovy) for our Keyless Social IdP
Next we'll need to configure an authentication Tree to enable our Social authentication: from realm dashboard select Authentication --> Trees --> Create Tree and provide a name: e.g. KeylessAuth
At this point you can access Forgerock Identity Cloud end user dashboard: you'll be prompted to authenticate with Keyless (as Keyless is the only authentication mechanism configured in this specific Auth tree as shown above)
URL: https://<<my-forgerock-tenant>>/am/XUI/?realm=/<<my-realm-name>>&authIndexType=service&authIndexValue=<<my-Auth-Tree-Name>>#/
Here's an alternative sample auth tree that provides options for both password based & Keyless (passwordless) authentication
For enrolment with keyless we'll need to create a new Application on Forgerock Identity Cloud for Keyless OIDC Service provider.
From our realm dashboard select Applications-->OAuth 2.0 --> Clients --> Add Client
Fill in the information required as described below:
Client ID: Provide a client ID: e.g. KeylessEnrolmentClient,
Client Secret: generate a client secret
If ClientID & Secret is provided by Keyless (that is enrolment service has already been created for you by Keyless) we'll be using those to populate the parameters above. If we are creating our own ClientID & Client Secret then, both ClientID & Secret need to be sent back to Keyless for configuration on the Keyless Enrolment service
Redirection URIs: A list of redirection URIs for your Keyless tenant has been provided by Keyless
Scope & Default Scope enter the following: openid profile cn mail
Click Create button and continue
Click on Advanced tab and configure the following:
Grant Types select : Authorization_Code & Implicit
Token Endpoint AUthentication Method select: clients_secret_post
Custom Properties type in the following: preferred_username=mail
Click on OIDC tab and configure the following
Client Session URI: this is provided by Keyless
Post Logout Redirect URI: this is provided by Keyless
Backchannel Logout URI: this is provided by Keyless
Post Logout Redirect URI: this is configured based on our realm name e.g. https://<<forgerock-tenant>>/enduser/?realm=<<realm-name>>#/dashboard
Click Save and that completes OIDC client configuration
Assuming we have completed the configuration steps above to configure Keyless OIDC SP/RP for enrolment we now sould be able to enrol for Keyless authentication
From a browser navigate to Keyless enrolment URL provided by Keyless
Authenticate using your credentials for Forgerock Identity Cloud
Browser will get redirected to Keyless enrolment page
Download Keyless authenticator app on your mobile device from AppStore or Google play
Scan the QR code displayed on Keyless enrolement page with your mobile device to complete Keyless enrolment
From a browser navigate to an application secured via Forgerock Identity Cloud SSO solution: e.g. Forgerock Identity Cloud end user dashboard:
https://>/am/XUI/?realm=/<>&authIndexType=service&authIndexValue=<>#/
Click on Continue with Keyless button
Provide your email enrolled with Keyless already
You'll receive a notification on you mobile device to complete biometic authentication using Keyless
Paramaeter | Description | Example |
---|---|---|
Name
Select a naem from Social IdP configuration
Keyless
Auth ID Key
OIDC claim that identifies the user
sub
Client ID
OIDC Client ID: Provided by Keyless
-
Client Secret
OIDC Client Secret: Provided by keyless
-
Well Known Endpoint
OIDC discovery URL: provided by Keyless
https://<my-keyless-tenant-fqdn>/.well-known/openid-configuration
Issuer
OIDC Issuer URL: provided by Keyless
https://<my-keyless-tenant-fqdn>
Client Authentication Method
Authentication method for OIDC Client
CLIENT_SECRET_POST
PKCE Method
OIDC PKCE coonfiguration
S256
Response Mode
OIDC Response mode
form_post
Oauth Scopes
OIDC/OAuth scope parameter
openid profile email
Scope Delimiter
Scope delimiter
<<single-space-character>>
OIDC Endpoints
Authorization, token, userinfo, JWKS endpoints: these are all provided by Keyless, also can be retrieved from the OIDC Discovery URL provided.
https://<my-keyless-tenant>/connect/authorize
Redirect URL
OIDC redirect from Keyless IDP on completeion of authentication. This will depend on our realm and the name of our Social IdP we chose at the very top of this table
https://<<my-forgerock-tennant>>/am/oauth2/realms/root/realms/<<my-realm-name>>/client/formpost/<<Social-IDP-Name>>
UI Config Properties
Add a property: buttonDisplayName
Keyless
Add a property:
(URL for the value is provided by Keyless)
buttonImage
https://<my-keyless-tenant>/static.keyless.svg
Transform Script
Script to transform/normalize the incoming cliams from Keyless IDP
We'll provide a sample script, to do just that, for initial configuration we can choose an existing script from the dropdown list of canned scripts.