Access Management 7.2.2

Chains for push authentication

Push authentication uses two separate authentication modules:

  • A module to register a device to receive push notifications called ForgeRock Authenticator (Push) Registration.

  • A module to perform the actual authentication itself, called ForgeRock Authenticator (Push).

You can insert both modules into a single chain to register devices and then authenticate with push notifications. See Create a chain for push authentication.

The ForgeRock Authenticator (Push) module can also be used for passwordless authentication using push notifications. If the module is placed at the start of a chain, it will ask the user to enter their user ID, but not their password. A push notification is then sent to their registered device to complete the authentication by using the ForgeRock Authenticator app.

Before implementing passwordless push authentication, consider the Limitations when using passwordless push authentication.

Create a chain for push authentication

The procedure assumes the following:

  • Users will provide user IDs and passwords as the first step of MFA.

  • If the user does not have a device registered to receive push notifications, they will be asked to register a device. After successfully registering a device for push, authentication will proceed to the next step.

  • A push notification will be sent to the device as a second factor to complete authentication.

  • The following services are configured:

    ForgeRock Authenticator (Push) Service

    Specifies the attribute in which to store information about the registered Push device, and whether to encrypt the data.

    For detailed information about the available properties, see ForgeRock Authenticator (Push) Service.

    Push Notification Service

    Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.

    For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.

    For detailed information about the available properties, see Push Notification Service.

To create an MFA chain that uses the ForgeRock Authenticator (Push) Registration and ForgeRock Authenticator (Push) modules, perform the following steps:

  1. In the AM admin UI, select the realm that will contain the authentication chain.

  2. Create a ForgeRock Authenticator (Push) Registration authentication module as follows:

    • Select Authentication > Modules, and click Add Module.

    • Fill in fields on the New Module page as follows:

      • Name: Choose a module name, for example push-reg.

      • Type: Select ForgeRock Authenticator (Push) Registration.

    • Click Create.

    • Configure the module to meet your organization’s requirements.

      For more information about the authentication module’s configuration settings, see ForgeRock Authenticator (Push) Registration Authentication Module.

  3. Create a ForgeRock Authenticator (Push) authentication module as follows:

    • Select Authentication > Modules, and click Add Module.

    • Complete the New Module page as follows:

      • Name: Specify a module name, for example push-auth.

      • Type: Select ForgeRock Authenticator (Push).

    • Click Create.

    • Configure the module to meet your organization’s requirements.

      For more information about the authentication module’s configuration settings, see ForgeRock Authenticator (Push) authentication module.

  4. Create the authentication chain as follows:

    • Select Authentication > Chains, and click Add Chain.

    • Enter a name for the chain, for example myPushAuthChain, and click Create.

    • Add the Data Store authentication module to the authentication chain as follows:

      • Click Add a Module.

      • Fill in the New Module dialog box, specifying the Data Store authentication module. For this example, specify the Requisite flag.

      • Click OK.

        The graphic showing your authentication chain now includes a Data Store authentication module.

    • Add the ForgeRock Authenticator (Push) Registration authentication module to the authentication chain as follows:

      • Click Add a Module.

      • Complete the New Module dialog box, specifying the ForgeRock Authenticator (Push) Registration authentication module that you just created. For this example, specify the Requisite flag.

      • Click OK.

        The graphic showing your authentication chain now includes a Data Store, and a ForgeRock Authenticator (Push) Registration authentication module.

    • Add the ForgeRock Authenticator (Push) authentication module to the authentication chain as follows:

      • Click Add a Module.

      • Complete the New Module dialog box, specifying the ForgeRock Authenticator (Push) authentication module that you created. For this example, specify the Required flag.

      • Click OK.

        The graphic showing your authentication chain now includes a Data Store, a ForgeRock Authenticator (Push) Registration, and a ForgeRock Authenticator (Push) authentication module.

    This single authentication chain can handle both device registration and push authentications.
    • Save your changes.

  5. Test your authentication chain as follows:

    • Log out of AM, and then go to a URL similar to the following: https://openam.example.com:8443/openam/XUI/?realm=/&service=myPushAuthChain#login

    • Follow the procedure described in Test push authentication to verify that you can use the ForgeRock Authenticator app to perform MFA. If the chain is correctly configured, authentication is successful and AM displays the user profile page.

Create a chain for push registration and passwordless authentication

The procedure assumes the following:

  • Users will provide only their user IDs as the first step of MFA.

  • The user already has a device registered for receiving push notifications. For details of an authentication chain which can register a device for push notifications, see Create a chain for push authentication.

  • A push notification will be sent to the device as a second factor, to complete authentication without the need to enter a password.

  • The following services are configured:

    ForgeRock Authenticator (Push) Service

    Specifies the attribute in which to store information about the registered Push device, and whether to encrypt the data.

    For detailed information about the available properties, see ForgeRock Authenticator (Push) Service.

    Push Notification Service

    Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.

    For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.

    For detailed information about the available properties, see Push Notification Service.

To create an MFA chain that uses the ForgeRock Authenticator (Push) module for passwordless authentication, perform the following steps:

  1. In the AM admin UI, select the realm that will contain the authentication chain.

  2. Create the authentication chain as follows:

    • Select Authentication > Chains, and click Add Chain.

    • Specify a name, for example myPasswordlessAuthChain, and click Create.

    • Add the ForgeRock Authenticator (Push) authentication module to the authentication chain as follows:

      • Click Add a Module.

      • Complete the New Module dialog box, specifying the ForgeRock Authenticator (Push) authentication module that you created. For this example, specify the Requisite flag.

      • Click OK.

        The graphic showing your authentication chain now includes a ForgeRock Authenticator (Push) authentication module.

    An authentication chain setup for passwordless push authentication.
    • Save your changes.

  3. Test your authentication chain as follows:

    • Log out of AM, and then go to a URL similar to the following: https://openam.example.com:8443/openam/XUI/?realm=/#login/&service=myPasswordlessAuthChain

    • Follow the procedure described in Test push authentication to verify that you can use the ForgeRock Authenticator app to perform MFA. If the chain is correctly configured, authentication is successful and AM displays the user profile page, without having to enter a password.