ForgeRock Progressive Profile Completion Authentication Tree Node
An authentication node for ForgeRock's Identity Platform 6.5.2 and above. This node integrates ForgeRock Identity Management's (IDM) progressive profile completion with ForgeRock Access Management's (AM) intelligent authentication framework. Build authentication trees and progressively build out your users' profiles by sporadically asking them for additional information or to confirm existing settings, all based on the Progressive Profile Completion (PPC) settings in IDM.
Download a release build fom the release tab or clone this repository to build your own release. Copy the .jar file from your download location or the ./target directory (if you built it yourself) into the ../web-container/webapps/openam/WEB-INF/lib directory where AM is deployed. Restart the web container to pick up the new node. The node will then appear in the authentication trees components palette.
Because user profiles are a personal matter and contain PII data, you should properly authenticate the user in your tree before you use this node. Technically, the only thing the node requires besides correct settings (see below) is the username shared state variable set (for example by using the Username Collector Node). The node has three exits:
- Continue: None of the PPC rules triggered any forms.
- Completed: One or more of the PPC rules triggered one or more forms and the user did save the forms.
- Canceled: The user decided to cancel out of the process.
A sample tree could look like this:
Note: The user is first properly authenticated using username and password, only then does she reach the PPC node.
A sample dialog you can expect your users to see when they are being prompted for additional information:
| Setting | Description |
|---|---|
| IDM Base URL | Enter the base URL (w/o trailing slash) of the IDM instance you want to use, e.g. https://forgerock.mytestrun.com/openidm |
| IDM Privileged User | Enter the username of an IDM account privileged to run as another user. See chapter 20.1.7. Authenticating as a Different User on how to configure IDM for runAs. |
| IDM User Password | Enter the password of the IDM account. |
The code in this repository has binary dependencies that live in the ForgeRock maven repository. Maven can be configured to authenticate to this repository by following the following ForgeRock Knowledge Base Article.
The following JSON configuration snippet shows what you need to make this node work in your environment. The essential part is the runAsProperties object. Add that object under properties of your INTERNAL_USER block in your authentication.json file.
{
"name": "INTERNAL_USER",
"properties": {
"queryId": "credential-internaluser-query",
"queryOnResource": "internal/user",
"propertyMapping": {
"authenticationId": "username",
"userCredential": "password",
"userRoles": "authzRoles"
},
"defaultUserRoles": [],
"runAsProperties": {
"adminRoles": [
"internal/role/openidm-admin"
],
"disallowedRunAsRoles": [],
"queryOnResource": "managed/user",
"propertyMapping": {
"authenticationId": "username",
"userRoles": "authzRoles"
}
}
},
"enabled": true
}| 1.0.2 | May 19, 2020 | Maintenance release:
|
| 1.0.1 | Feb 7, 2020 | Code cleanup. |
| 1.0.0 | Feb 5, 2020 | Functional Progressive Profile Completion (PPC) authentication node for ForgeRock Identity Platform 6.5.2.x. |
The code described herein is provided on an "as is" basis, without warranty of any kind, to the fullest extent permitted by law. ForgeRock does not warrant or guarantee the individual success developers may have in implementing the sample code on their development platforms or in production configurations.
ForgeRock does not warrant, guarantee or make any representations regarding the use, results of use, accuracy, timeliness or completeness of any data or information relating to the sample code. ForgeRock disclaims all warranties, expressed or implied, and in particular, disclaims all warranties of merchantability, and warranties related to the code, or any service or software related thereto.
ForgeRock shall not be liable for any direct, indirect or consequential damages or costs of any type arising out of any action taken by you or others related to the sample code.