Integrating Trusona and ForgeRock with OIDC

This guide details the steps required to configure Trusona as a passwordless authentication solution for your ForgeRock using the ForgeRock OIDC node.

1. Prerequisites

This integration relies on the ForgeRock OIDC Node which is available in AM6.0 or greater.

2. Configure Trusona Integration

2.1. Log into Trusona

Log into your Trusona account at trusona.dashboard.com

Log into the Trusona dashboard
Log into the Trusona dashboard

2.2. Navigate to the generic integration option(s)

Locate the navigation bar on the left side of the main page, and click on the Generic OIDC tab

Navigate to the correct tab
Navigate to the correct tab

2.3. Creating a new generic integration

Click on the Create button to begin

Navigate to the correct tab
Navigate to the correct tab

2.4. Customize & Upload Data

Be sure to fill in all the necessary information requested, and upload any files/documents needed. Failure to do so may prevent Trusona from creating the integration successfully

Fill out all the necessary information carefully
Fill out all the necessary information carefully

2.5. Additional actions for integrations

Once you have created your integration, you will be redirected back to the integration dashboard. From there, you should be able to see your new integration listed.

To the right of it, click on the Actions button. You will be presented with a number of different options you can select, depending on your requirements.

Click on the Actions button for further configuration details
Click on the Actions button for further configuration details

3. Configuring an OIDC Node

Create or modify a tree to use the OpenID Connect Node

Basic ForgeRock OIDC Node in Auth Tree
  1. Create or modify a tree to use the OpenID Connect Node
  2. Enter the following values for each configuration option in the OpenID Connect Node:
Field Name Value
Authentication Endpoint URL https://gateway.trusona.net/oidc
Access Token Endpoint URL https://gateway.trusona.net/oidc/tokens
User Profile Service URL https://gateway.trusona.net/oidc/userinfo
OAuth Scope openid email
Redirect URL Varies based on your deployment. The typical form is https://your-fr-host-domain/openam/?realm=THE_REALM&service=THE_TREE
Social Provider Trusona
Auth ID Key sub
Use Basic Auth enabled
Account Provider org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
Account Mapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
Attribute Mapper Required - Use the default setting.
Account Mapper Configuration It may be necessary to map email to uid if your users username are their email addresses.
Attribute Mapper Configuration Add a mapping for email to mail. Additional mappings based on the claims described in the appendix below may be required.
Save Attributes in the Session enabled
Token Issuer https://gateway.trusona.net
OpenID Connect Validation Type JWK URL
OpenID Connect Validation Value https://gateway.trusona.net/oidc/certs

3.1. OIDC configuration appendix

Based on your integration, a public identifier or a pairwise identifier can be returned as the Subject of the JWT Claims.

3.1.1. JWT Claim using a Public Identifier Subject
{
  "sub": "email@your-domain.com",
  "email": "email@your-domain.com",
  "aud": "client_id",
  "iss": "https://gateway.trusona.net",
  "exp": 1576132000,
  "nbf": 1576096000,
  "iat": 1576096000,
  "nonce": "42z6KubYSjN8KZAD6YREezB5zEc8qURbY"
}
3.1.2. JWT Claim using a Pairwise Identifier Subject
{
  "sub": "27bfdfe1918a3a079dfa11e7a459a40e2f024bd5ed1fedcbbbce0b1f9a27f2ff",
  "email": "email@your-domain.com",
  "aud": "client_id",
  "iss": "https://gateway.trusona.net",
  "exp": 1576132000,
  "nbf": 1576096000,
  "iat": 1576096000,
  "nonce": "NlR4iVNWsBPYl4QzQzQm4dmgjz3Gaiia"
}


Test the integration

  1. Open a new private browsing window
  2. Navigate to the realm and tree where you have configured the OIDC node
  3. Login with Trusona


Vanity URL setup

Add a new CNAME DNS record for your domain.

  1. Set the “host” value to the URL you’d like users to see when logging in
  2. Set the “Answer” value to ssl.trusona.net
  3. Set the TTL to 300


Here’s an example of a CNAME answer when retrieved by dig tada.trusona.com.

tada.trusona.com. 3600 IN CNAME ssl.trusona.net.

Integrations

Desktop
IAM and SSO
PAM
Productivity
VPN

Guides

Get started guides
Implementation guides
Users guides

SDKs

Mobile SDKs
Server SDKs
Web SDKs

APIs

Authentication Service
ID Proofing Service
Mobile Auth for Browsers Service

TOTP

Business
E-commerce
Finance
Productivity
Social
Gaming
Other