AM 7.3.2

Device Match node

Compares any collected device metadata with that stored in the user’s profile.

Use this node with the Device Profile Collector node to determine if the authenticating user is on a previously saved, trusted device.

You can choose between two methods of comparison:

  1. Built-in Matching

    The node handles the comparison and matching, and you can configure the acceptable variance, and specify a time frame that profiles are considered current.

  2. Custom Matching

    Create scripts to compare captured device data against trusted device profiles.

    AM includes a template script you can customize to your requirements. In the AM admin UI, go to Realms > Realm Name > Scripts, and click Device Match Template - Decision node Script.

    ForgeRock also provides a more complete sample script, as well as instructions for its use and a development toolkit. Find these resources on GitHub at https://github.com/ForgeRock/forgerock-device-match-script.

You must establish the identity of the user before attempting to match device profiles.

Outcomes

  • True

  • False

  • Unknown Device

Evaluation continues along the True path if the collected device profile matches a saved profile, within the configured variance; otherwise, evaluation continues along the False path.

If the user has no trusted device profiles, or the identity of the user has not been established, evaluation continues along the Unknown Device path.

Properties

Property Usage

Acceptable Variance

Specify the maximum amount of device attribute differences acceptable for a match.

Expiration

Specify the maximum age, in the number of days since being saved, that existing profiles can be considered for comparison. Device profiles saved to the user’s profile before this time will not be compared to the collected metadata.

Use Custom Matching Script

Specifies whether to use a custom script to compare the collected metadata with saved device profiles.

The script type must be Decision node script for authentication trees.

When a custom matching script is used, the Acceptable Variance and Expiration properties are ignored.

Default: Authentication Tree Decision Node Script

Custom Matching Script

Specifies the custom script to use if the Use Custom Matching Script property is enabled.

Only scripts of type Decision node script for authentication trees appear in the list.