Configure biometric authentication journeys
To use mobile biometrics with the ForgeRock SDK for iOS configure the authentication nodes in your journeys as follows:
-
In each WebAuthn Registration node and WebAuthn Authentication node:
-
Ensure the Return challenge as JavaScript option is not enabled.
The SDK expects a JSON response from these nodes; enabling the Return challenge as JavaScript option would cause the journey to fail.
-
Set the Relying party identifier option to be the domain hosting the
apple-app-site-association
file; for example,openam-docs.forgeblocks.com
.You do not need the protocol or the path.
-
To enable passkey support, enable Username to device in the WebAuthn Registration node, and Username from device in the WebAuthn Authentication node.
-
-
In each WebAuthn Registration node:
-
Set the Authentication attachment option to either
UNSPECIFIED
orPLATFORM
. -
Ensure the Accepted signing algorithms option includes
ES256
. -
Ensure the Limit registrations option is not enabled.
-
Configure origin domains
To enable WebAuthn on iOS devices, you must configure the nodes with a specially-formatted string containing the bundle identifier of your application, which you can find in XCode, on the Signing & Capabilities tab of your apps target page:
Prefix this value with the string ios:bundle-id:
. For example:
ios:bundle-id:com.forgerock.ios.sdk.Quickstart
To enable passkey support, add the fully-qualified domain name of the Identity Cloud or AM instance as an origin domain. For example, https://openam-docs.forgeblocks.com
.
Add these values to the Origin domains property in each WebAuthn Registration node and WebAuthn Authentication node in the journey.