Integrating Trusona and ForgeRock with OIDC

This guide details the steps required to configure Trusona as a passwordless authentication solution for your ForgeRock using the ForgeRock OIDC node.

1. Prerequisites

This integration relies on the ForgeRock OIDC Node which is available in AM6.0 or greater.

2. Configuration

2.1. Step 1: Email Trusona

Send an email to with the following information:

Subject: ForgeRock OIDC Integration

  • Required:
    • Company name
    • ForgeRock Instance Hostname
  • Optional
    • Email domain(s) associated with your ForgeRock users. (e.g.
    • A vanity url you would like users to see when using Trusona to login to ForgeRock (e.g.

2.1.1. Sent by Trusona

Trusona will send you the following via email:

  • OIDC Client ID
  • OIDC Client Secret
  • OIDC Discovery URL

2.2. Step 2: Configuring an OIDC Node

Basic ForgeRock OIDC Node in Auth Tree
  1. Create or modify a tree to use the OpenID Connect Node
  2. Enter the following values for each configuration option in the OpenID Connect Node:
Field Name Value
Authentication Endpoint URL
Access Token Endpoint URL
User Profile Service URL
OAuth Scope openid email
Redirect URL Varies based on your deployment. The typical form is https://your-fr-host-domain/openam/?realm=THE_REALM&service=THE_TREE
Social Provider Trusona
Auth ID Key sub
Use Basic Auth enabled
Account Provider org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
Account Mapper org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper
Attribute Mapper Required - Use the default setting.
Account Mapper Configuration It may be necessary to map email to uid if your users username are their email addresses.
Attribute Mapper Configuration Add a mapping for email to mail. Additional mappings based on the claims described in the appendix below may be required.
Save Attributes in the Session enabled
Token Issuer
OpenID Connect Validation Type JWK URL
OpenID Connect Validation Value

2.2.1. OIDC configuration appendix

Based on your integration, a public identifier or a pairwise identifier can be returned as the Subject of the JWT Claims. JWT Claim using a Public Identifier Subject
  "sub": "",
  "email": "",
  "aud": "client_id",
  "iss": "",
  "exp": 1576132000,
  "nbf": 1576096000,
  "iat": 1576096000,
  "nonce": "42z6KubYSjN8KZAD6YREezB5zEc8qURbY"
} JWT Claim using a Pairwise Identifier Subject
  "sub": "27bfdfe1918a3a079dfa11e7a459a40e2f024bd5ed1fedcbbbce0b1f9a27f2ff",
  "email": "",
  "aud": "client_id",
  "iss": "",
  "exp": 1576132000,
  "nbf": 1576096000,
  "iat": 1576096000,
  "nonce": "NlR4iVNWsBPYl4QzQzQm4dmgjz3Gaiia"

2.3. Step 3: Test the integration

  1. Open a new private browsing window
  2. Navigate to the realm and tree where you have configured the OIDC node
  3. Login with Trusona

3. Vanity URL setup

Add a new CNAME DNS record for your domain.

  1. Set the “host” value to the URL you’d like users to see when logging in
  2. Set the “Answer” value to
  3. Set the TTL to 300

Here’s an example of a CNAME answer when retrieved by dig 3600 IN CNAME


Remote access


Get started guides
Implementation guides
Users guides


Mobile SDKs
Server SDKs
Web SDKs


Authentication Service
ID Proofing Service