Device Signing Verifier node
Verifies possession of a registered bound device.
The node requires the device to sign a challenge string using the private key that corresponds to a stored public key.
The user might need to unlock their cryptography keys with biometric security — such as a fingerprint — or a PIN.
This node can be used in usernameless authentication flows. The ForgeRock SDKs store and provide the identity when handling the callbacks from this node. If the device has been registered by more than one user, the SDK displays a list of the registered keys to choose from on the client device. |
Compatibility
Product | Compatible? |
---|---|
Advanced Identity Cloud |
Yes |
PingAM (self-managed) |
Yes |
Ping Identity Platform (self-managed) |
Yes |
Inputs
If you want the device to sign a custom challenge, its value must be available in shared state. Enter the variable name in the Shared state attribute for Challenge property.
Dependencies
This node requires that you have bound devices by using the Device Binding node.
Configuration
Property | Usage |
---|---|
Sign Random Challenge |
Use a random value as the challenge for signing. |
Shared state attribute for Challenge |
Use the value from the named attribute in shared state as the challenge for signing. |
Application IDs |
A list of Android package names and iOS bundle IDs of applications allowed to perform device signing verification. For example, |
Title |
A title to display to the user when asking them to bind the device. |
Sub Title |
A secondary or subtitle to display to the user when asking them to bind the device. |
Description |
Descriptive text displayed to the user when asking them to bind the device. |
Capture Failure |
When enabled, adds the reason for a failure to the shared node state variable If not enabled, the journey halts with an exception, and the journey does not continue along an outcome path. Reasons for failure include:
|
Timeout |
Specify the number of seconds to wait for a response from the client during binding. If the specified time is reached, evaluation continues along the |
Outputs
If you enable the Capture Failure property, the node outputs a failure reason string in a variable named DeviceSigningVerifierNode.FAILURE
.
Outcomes
-
Success
-
Failure
-
No Registered Device
-
Key Not Found
-
Unsupported
(Client) -
Abort
(Client) -
Timeout
(Client) -
ClientNotRegistered
(Client)
If the response from the device is verified as coming from a bound device, evaluation continues along the Success
outcome path.
If AM cannot verify that the response was signed by a bound device, evaluation continues along the Failure
outcome path.
If the user does not have any bound devices, evaluation continues along the No Registered Device
outcome path. The user is determined either previously in the authentication journey, or by reading the sub
claim from the response when doing usernameless flows.
If the client device cannot access the cryptography keys, or the key ID that AM requested cannot be located, evaluation continues along the relevant Key Not Found
outcome path.
If the user’s client does not support the requested operation, evaluation continues along the Unsupported
outcome path.
If the user cancels authentication, evaluation continues along the Abort
outcome path.
If the node does not receive a response from the user’s device within the Timeout specified in the node configuration, evaluation continues along the Timeout
outcome path.
If the client device does not have the keys present to be able to sign the challenge, evaluation continues along the ClientNotRegistered
outcome path.