Advanced Identity Cloud

Device Signing Verifier node

Verifies possession of a registered bound device.

The node requires the device to sign a challenge string using the private key that corresponds to a stored public key.

The user might need to unlock their cryptography keys with biometric security — such as a fingerprint — or a PIN.

This node can be used in usernameless authentication flows.

The ForgeRock SDKs store and provide the identity when handling the callbacks from this node. If the device has been registered by more than one user, the SDK displays a list of the registered keys to choose from on the client device.

Compatibility

Product Compatible?

Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

If you want the device to sign a custom challenge, its value must be available in shared state. Enter the variable name in the Shared state attribute for Challenge property.

Dependencies

This node requires that you have bound devices by using the Device Binding node.

Configuration

Property Usage

Sign Random Challenge

Use a random value as the challenge for signing.

Shared state attribute for Challenge

Use the value from the named attribute in shared state as the challenge for signing.

Application IDs

A list of Android package names and iOS bundle IDs of applications allowed to perform device signing verification.

For example, com.example.app.

Title

A title to display to the user when asking them to bind the device.

Sub Title

A secondary or subtitle to display to the user when asking them to bind the device.

Description

Descriptive text displayed to the user when asking them to bind the device.

Capture Failure

When enabled, adds the reason for a failure to the shared node state variable DeviceSigningVerifierNode.FAILURE and continues evaluation along the "Failure" outcome.

If not enabled, the journey halts with an exception, and the journey does not continue along an outcome path.

Reasons for failure include:

INVALID_CLAIM

Failed to validate one or more claims presented in the token.

For example, the challenge claim did not match the value set in the node configuration, or the issuer (ISS) claim did not match a value in the Application IDs list.

INVALID_SIGNATURE

Failed to validate the token signature.

INVALID_USER

Account does not exist.

NOT_ACTIVE_USER

Account is not active or locked out.

INVALID_SUBJECT

Failed to validate the token subject.

Timeout

Specify the number of seconds to wait for a response from the client during binding.

If the specified time is reached, evaluation continues along the Timeout outcome path.

Outputs

If you enable the Capture Failure property, the node outputs a failure reason string in a variable named DeviceSigningVerifierNode.FAILURE.

Outcomes

  • Success

  • Failure

  • No Registered Device

  • Key Not Found

  • Unsupported (Client)

  • Abort (Client)

  • Timeout (Client)

  • ClientNotRegistered (Client)

If the response from the device is verified as coming from a bound device, evaluation continues along the Success outcome path.

If AM cannot verify that the response was signed by a bound device, evaluation continues along the Failure outcome path.

If the user does not have any bound devices, evaluation continues along the No Registered Device outcome path. The user is determined either previously in the authentication journey, or by reading the sub claim from the response when doing usernameless flows.

If the client device cannot access the cryptography keys, or the key ID that AM requested cannot be located, evaluation continues along the relevant Key Not Found outcome path.

If the user’s client does not support the requested operation, evaluation continues along the Unsupported outcome path.

If the user cancels authentication, evaluation continues along the Abort outcome path.

If the node does not receive a response from the user’s device within the Timeout specified in the node configuration, evaluation continues along the Timeout outcome path.

If the client device does not have the keys present to be able to sign the challenge, evaluation continues along the ClientNotRegistered outcome path.