Getting started with OneSpan Authentication for ForgeRock
  • 29 Oct 2024
  • 4 Minutes to read
  • Dark
    Light

Getting started with OneSpan Authentication for ForgeRock

  • Dark
    Light

Article summary

OneSpan Authentication for ForgeRock combines authentication and risk management with ForgeRock's identity management and single sign-on capabilities. To start, install OneSpan Authentication for ForgeRock, create a sandbox account on the OneSpan Community Portal, and set up a mobile application. Additionally, create rules in Risk Analytics Presentation Service for specific use cases. In ForgeRock Access Management, add a OneSpan Configuration auxiliary service to specify developer sandbox details. Replace sample nodes with your own implementations before deploying in production. Finally, explore and create workflows using the provided sample trees in the Workflow topics of the guide.

Welcome to OneSpan Authentication for ForgeRock! This solution combines OneSpan authentication and Risk Management with the identity management and single sign-on (SSO) capabilities of the ForgeRock solution.

With ForgeRock Access Management, you can create workflows that include OneSpan-specific tree nodes, and you can easily adapt these workflows as needed.

Before you can start working with OneSpan Authentication for ForgeRock you need to complete the following steps:

  1. Install OneSpan Authentication for ForgeRock

  2. Create a sandbox account on the OneSpan Community Portal

  3. Set up a mobile application

  4. Set up rules in Risk Analytics Presentation Service

Install OneSpan Authentication for ForgeRock

To install OneSpan Authentication for ForgeRock

  1. Download the current OneSpan Authentication for ForgeRock version here.

  2. Copy OneSpan-Auth-Tree-Nodes-version.jar to the /web-container/webapps/openam/WEB-INF/lib folder where ForgeRock Access Management is deployed.

  3. Restart ForgeRock Access Management. The OneSpan trees and nodes are now available in Authentication > Trees.

Create a sandbox account on the OneSpan Community Portal

Before you begin

The pre-requisite to access the OneSpan Intelligent Adaptive Authentication sandbox environment is to register and create your user account on the OneSpan Community Portal at https://community.onespan.com and then sign up for a sandbox user account. Based on the information you have entered, the portal creates your sandbox with a risk management and an authentication environment.

To register as a user on the OneSpan Community Portal

  1. In an Internet browser, navigate to https://community.onespan.com.

  2. Click Sign up.

    The email address you provide in the following step can only be used once to register in the OneSpan Community Portal!

  3. To register and enroll as a user on the OneSpan Community Portal, fill in the fields in the account creation form and click Sign up.

By completing the registration, your profile is created on the OneSpan Community Portal. To access it, navigate to https://community.onespan.com and click the profile button in the upper right corner. On the My Account page you can administrate your account, i.e. set a new password for the OneSpan Community Portal or delete your portal account.

Deleting your account will also delete all data associated with the account. This action cannot be reversed!

Now that you have successfully created your Community Portal user account, you can sign up for a free sandbox account.

To sign up for a developer sandbox account

  1. In the OneSpan Community Portal, switch to the Intelligent Adaptive Authentication product page (via Products) and click Free Developer Sandbox.

  2. Fill in the fields in the account creation form and click Submit.

    The portal creates your sandbox environment with a risk management and an authentication environment.

You now have a sandbox user account.

The OneSpan Community Portal also creates a dedicated instance of an authentication server domain with 10 authenticators available, and a dedicated environment of the Risk Management service. You are the owner of this instance of the Risk Management service, which enables you to change the rules, responses, and actions as required.

The OneSpan Community Portal contains the links to your instance of the Risk Management service, the Intelligent Adaptive Authentication service, the OneSpan Intelligent Adaptive Authentication demo, and the default credentials and a summary of the information you provided in the registration form.

Set up a mobile application

Set up a mobile application that integrates OneSpan Mobile Security Suite.

Alternatively, you can download and install the Adaptive Authentication Services (AAS) mobile demo app.

Set up rules in Risk Analytics Presentation Service

To fully leverage the tree node functionalities, you need to create rules for the following use cases:

  • Rule 1: When an end user tries to log in, send an extra PIN challenge to the user’s trusted device.

  • Rule 2: When an end user tries to validate a transaction event, and the transaction amount is below 100, send an extra PIN challenge to the user’s trusted device.

To create the rules

  1. Open Risk Analytics Presentation Service and navigate to DESIGN RULES & ACTIONS > Rule Management > Rules.

  2. Select Non Mon Events > Adaptive Authentication.

  3. Create a new division named UserLogin Management with the following criterion:

    is NON_MON_EVENT_TYPE_KEY = LoginAttempt

  4. Toggle the newly-created division.

  5. Create a rule named ChallengePIN and click Save & Next.

  6. Skip creating history criteria, match criteria, match key, and action.

  7. On the Create Response / Status page, select ChallengePin in the Set Value field.

  8. Toggle the newly-created rule.

  9. Navigate to DESIGN RULES & ACTIONS > Rule Management > Rules.

  10. Select Transactions > Adaptive Authentication Web Payments > Challenged TXN > Very Low amount.

  11. Click the Edit Response / Status icon and change the response to ChallengePIN.

  12. Save your changes.

Fingerprint and face biometrics are also available options. If you decide to change the response to these challenge types, you need to enroll your face and/or fingerprint in the Intelligent Adaptive Authentication demo app.

For more information about working with Risk Analytics Presentation Service, refer to the Risk Analytics Admin Guides.

Add a OneSpan configuration auxiliary service

In ForgeRock Access Management, you need to create a realm-specific service named OneSpan Configuration, where you can specify your developer sandbox details.

To create the auxiliary service

  1. In ForgeRock Access Management, navigate to REALMS > your_realm > Services.

  2. Add a new service and select OneSpan Configuration as the service type.

  3. Specify your developer sandbox details.

    You can find the environment in the URL of your sandbox account after the tenant name. For example, in https://tenant_name.sdb.tid.onespan.cloud), the environment is sdb (sandbox).

  4. Click Create.

Additional tasks

The workflow trees described in this guide use OneSpan sample nodes. You should not use these nodes in production environments, but replace them with your own node implementations.

In particular, you need to replace the OneSpan Sample Store Command node with your own implementation in login and transaction workflows, before you roll out your solution to production.

Next steps

You are now ready to create and explore your OneSpan Authentication for ForgeRock workflows. You can reproduce the sample trees in the Workflow topics of this guide using one of the following methods:

  • Import the JSON files in the /sample folder through ForgeRock Access Management.

    Note that the /sample folder contains workflow samples specifically for OneSpan Cloud Authentication (OneSpan-XUI-Cloud-Authentication-*) and specifically for Intelligent Adaptive Authentication (OneSpan-XUI-Adapative-Authentication-*, OneSpan-XUI-Risk-Analytics-*).

  • Manually create the trees based on the design of the sample trees.

Start with Scenario: User registration.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant