Access Management 7.2.2

Create trees for push authentication and registration

Push authentication uses authentication trees to receive push notifications and to perform the actual authentication itself.

Authentication trees can be used for passwordless authentication using push notifications. When configured for passwordless authentication, the authentication flow asks the user to enter their user ID but not their password. A push notification is then sent to their registered device to complete the authentication by using the ForgeRock Authenticator app.

Before implementing passwordless push authentication, consider the Limitations when using passwordless push authentication.

Create a tree for push authentication

The procedure assumes the following:

  • Users will provide user IDs and passwords as the first step of MFA.

  • A push notification will be sent to the device as a second factor to complete authentication.

  • The following services are configured:

    ForgeRock Authenticator (Push) Service

    Specifies the attribute in which to store information about the registered Push device, and whether to encrypt the data.

    For detailed information about the available properties, see ForgeRock Authenticator (Push) Service.

    Push Notification Service

    Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.

    For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.

    For detailed information about the available properties, see Push Notification Service.

To create an MFA tree, follow these steps:

  1. In the AM admin UI, go to Realms > Realm Name > Authentication > Trees, and create the authentication tree as follows:

  2. Test your authentication tree as follows:

    • Log out of AM, and then go to a URL similar to the following: https://openam.example.com:8443/openam/XUI/?realm=/alpha&service=myPushTree#login

    • Follow the procedure described in Test push authentication to verify that you can use the ForgeRock Authenticator app to perform MFA. If the authentication tree is correctly configured, authentication is successful and AM displays the user profile page.

Create a tree for passwordless authentication

The procedure assumes the following:

  • Users will provide only their user IDs as the first step of MFA.

  • This procedure assumes users have a device registered for push authentication.

  • A push notification will be sent to the device as a second factor to complete authentication, without the need to enter the user’s password.

  • The following services are configured:

    ForgeRock Authenticator (Push) Service

    Specifies the attribute in which to store information about the registered Push device, and whether to encrypt the data.

    For detailed information about the available properties, see ForgeRock Authenticator (Push) Service.

    Push Notification Service

    Configures how AM sends push notifications to registered devices, including endpoints, and access credentials.

    For information on provisioning the credentials required by the Push Notification Service, see How To Configure Service Credentials (Push Auth, Docker) in Backstage in the ForgeRock Knowledge Base.

    For detailed information about the available properties, see Push Notification Service.

To create an MFA tree for passwordless authentication, follow these steps:

  1. In the AM admin UI, go to Realms > Realm Name > Authentication > Trees, and create the authentication tree as follows:

    • Select Authentication > Trees, and click Create Tree.

    • Enter a name for the tree, for example myPasswordlessAuthTree, and click Create.

      The authentication tree designer is displayed, with the Start entry point connected to the Failure exit point.

      You can add nodes to the authentication tree by dragging the node from the Components panel on the left-hand side and dropping it into the designer area.

    • Add the following nodes to the authentication tree:

    • Connect the nodes as demonstrated in the following figure:

      An authentication tree setup for passwordless push authentication.
      Figure 3. Passwordless Push Authentication Example (Standalone AM)
      An authentication tree setup for passwordless push authentication.
      Figure 4. Passwordless Push Authentication Example (ForgeRock Identity Platform)
    • Save your changes.

  2. Test your authentication tree as follows:

    • Log out of AM, and then go to a URL similar to the following: https://openam.example.com:8443/openam/XUI/?realm=/alpha&service=myPasswordlessAuthTree#login

    • Follow the procedure described in Test push authentication to verify that you can use the ForgeRock Authenticator app to perform MFA. If the authentication tree is correctly configured, authentication is successful and AM displays the user profile page, without having to enter a password.