1. Prerequisites
This integration relies on the ForgeRock OIDC Node which is available in AM6.0 or greater.
2. Configuration
2.1. Step 1: Email Trusona
Send an email to support@trusona.com with the following information:
Subject: ForgeRock OIDC Integration
- Required:
- Company name
- ForgeRock Instance Hostname
- Optional
- Email domain(s) associated with your ForgeRock users. (e.g.
yourcompany.com
) - A vanity url you would like users to see when using Trusona to login to ForgeRock (e.g.
https://login.yourcompany.com
)
- Email domain(s) associated with your ForgeRock users. (e.g.
2.1.1. Sent by Trusona
Trusona will send you the following via email:
- OIDC Client ID
- OIDC Client Secret
- OIDC Discovery URL
2.2. Step 2: Configuring an OIDC Node

- Create or modify a tree to use the OpenID Connect Node
- Enter the following values for each configuration option in the OpenID Connect Node:
Field Name | Value |
---|---|
Authentication Endpoint URL | https://gateway.trusona.net/oidc |
Access Token Endpoint URL | https://gateway.trusona.net/oidc/tokens |
User Profile Service URL | https://gateway.trusona.net/oidc/userinfo |
OAuth Scope | openid email |
Redirect URL | Varies based on your deployment. The typical form is https://your-fr-host-domain/openam/?realm=THE_REALM&service=THE_TREE
|
Social Provider | Trusona |
Auth ID Key | sub |
Use Basic Auth | enabled |
Account Provider | org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider |
Account Mapper | org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper |
Attribute Mapper | Required - Use the default setting. |
Account Mapper Configuration | It may be necessary to map email to uid if your users username are their email addresses. |
Attribute Mapper Configuration | Add a mapping for email to mail . Additional mappings based on the claims described in the appendix below may be required. |
Save Attributes in the Session | enabled |
Token Issuer | https://gateway.trusona.net |
OpenID Connect Validation Type | JWK URL |
OpenID Connect Validation Value | https://gateway.trusona.net/oidc/certs |
2.2.1. OIDC configuration appendix
Based on your integration, a public identifier or a pairwise identifier can be returned as the Subject
of the JWT Claims.
2.2.1.1. JWT Claim using a Public Identifier Subject
{
"sub": "email@your-domain.com",
"email": "email@your-domain.com",
"aud": "client_id",
"iss": "https://gateway.trusona.net",
"exp": 1576132000,
"nbf": 1576096000,
"iat": 1576096000,
"nonce": "42z6KubYSjN8KZAD6YREezB5zEc8qURbY"
}
2.2.1.2. JWT Claim using a Pairwise Identifier Subject
{
"sub": "27bfdfe1918a3a079dfa11e7a459a40e2f024bd5ed1fedcbbbce0b1f9a27f2ff",
"email": "email@your-domain.com",
"aud": "client_id",
"iss": "https://gateway.trusona.net",
"exp": 1576132000,
"nbf": 1576096000,
"iat": 1576096000,
"nonce": "NlR4iVNWsBPYl4QzQzQm4dmgjz3Gaiia"
}
2.3. Step 3: Test the integration
- Open a new private browsing window
- Navigate to the realm and tree where you have configured the OIDC node
- Login with Trusona
3. Vanity URL setup
Add a new CNAME DNS record for your domain.
- Set the “host” value to the URL you’d like users to see when logging in
- Set the “Answer” value to ssl.trusona.net
- Set the TTL to 300
Here’s an example of a CNAME answer when retrieved by dig tada.trusona.com
.
tada.trusona.com. 3600 IN CNAME ssl.trusona.net.