Advanced Identity Cloud

Device Signing Verifier node

Verifies possession of a registered bound device.

The node requires the device to sign a challenge string using the private key that corresponds to a stored public key.

The user might need to unlock their cryptography keys with biometric security — such as a fingerprint — or a PIN.

This node can be used in usernameless authentication flows.

The ForgeRock SDKs store and provide the identity when handling the callbacks from this node. If the device has been registered by more than one user, the SDK displays a list of the registered keys to choose from on the client device.

Compatibility

Product Compatible?

Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

If you want the device to sign a particular challenge, the value must be available in shared state.

Dependencies

You can bind devices by using the Device Binding node.

Configuration

Property Usage

Sign Random Challenge

Specifies the node should use a random value as the challenge for signing.

Shared state attribute for Challenge

Specifies the node should use a value from the named attribute in shared state as the challenge for signing.

Application IDs

Specifies a list of Android package names and iOS bundle IDs of applications that are allowed to perform device signing verification.

For example, com.example.app.

Title

Specifies a title to display to the user when asking them to bind the device.

Sub Title

Specifies a secondary, or subtitle to display to the user when asking them to bind the device.

Description

Specifies descriptive text to display to the user when asking them to bind the device.

Timeout

Specify the number of seconds to wait for a response from the client during binding.

If the specified time is reached, evaluation continues along the Timeout outcome path.

Outcomes

  • Success

  • Failure

  • No Registered Device

  • Key Not Found

  • Unsupported (Client)

  • Abort (Client)

  • Timeout (Client)

  • ClientNotRegistered (Client)

If the response from the device is verified as coming from a bound device, evaluation continues along the Success outcome path.

If AM cannot verify that the response was signed by a bound device, evaluation continues along the Failure outcome path.

If the user does not have any bound devices, evaluation continues along the No Registered Device outcome path. The user is determined either previously in the authentication journey, or by reading the sub claim from the response when doing usernameless flows.

If the client device cannot access the cryptography keys, or the key ID that AM requested cannot be located, evaluation continues along the relevant Key Not Found outcome path.

If the user’s client does not support the requested operation, evaluation continues along the Unsupported outcome path.

If the user cancels authentication, evaluation continues along the Abort outcome path.

If the node does not receive a response from the user’s device within the Timeout specified in the node configuration, evaluation continues along the Timeout outcome path.

If the client device does not have the keys present to be able to sign the challenge, evaluation continues along the ClientNotRegistered outcome path.