ForgeRock Developer Experience

Configure biometric authentication journeys

To use mobile biometrics with the ForgeRock SDK for iOS configure the authentication nodes in your journeys as follows:

  1. In each WebAuthn Registration node and WebAuthn Authentication node:

    • Ensure the Return challenge as JavaScript option is not enabled.

      The SDK expects a JSON response from these nodes; enabling the Return challenge as JavaScript option would cause the journey to fail.

    • Set the Relying party identifier option to be the domain hosting the apple-app-site-association file; for example, openam-docs.forgeblocks.com.

      You do not need the protocol or the path.

    • To enable passkey support, enable Username to device in the WebAuthn Registration node, and Username from device in the WebAuthn Authentication node.

  2. In each WebAuthn Registration node:

    • Set the Authentication attachment option to either UNSPECIFIED or PLATFORM.

    • Ensure the Accepted signing algorithms option includes ES256.

    • Ensure the Limit registrations option is not enabled.

Configure origin domains

To enable WebAuthn on iOS devices, you must configure the nodes with a specially-formatted string containing the bundle identifier of your application, which you can find in XCode, on the Signing & Capabilities tab of your apps target page:

ios bundle id en
Figure 1. Bundle identifier field in XCode

Prefix this value with the string ios:bundle-id:. For example:

ios:bundle-id:com.forgerock.ios.sdk.Quickstart

To enable passkey support, add the fully-qualified domain name of the Identity Cloud or AM instance as an origin domain. For example, https://openam-docs.forgeblocks.com.

Add these values to the Origin domains property in each WebAuthn Registration node and WebAuthn Authentication node in the journey.