1. What’s in this doc
1. Prerequisites
This integration relies on the ForgeRock OIDC Node which is available in AM6.0 or greater.
2. Configuration
2.1. Step 1: Email Trusona
Send an email to support@trusona.com with the following information:
Subject: ForgeRock OIDC Integration
- Required:
- Company name
- Forgerock Instance Hostname
- Optional
- Email domain(s) associated with your ForgeRock users. (e.g.
yourcompany.com) - A vanity url you would like users to see when using Trusona to login to ForgeRock (e.g.
https://login.yourcompany.com)
- Email domain(s) associated with your ForgeRock users. (e.g.
2.1.1. Sent by Trusona
Trusona will send you the following via email:
- OIDC Client ID
- OIDC Client Secret
- OIDC Discovery URL
2.2. Step 2: Configuring an OIDC Node
- Create or modify a tree to use the OpenID Connect Node
- Enter the following values for each configuration option in the OpenID Connect Node:
| Field Name | Value |
|---|---|
| Authentication Endpoint URL | https://gateway.trusona.net/oidc |
| Access Token Endpoint URL | https://gateway.trusona.net/oidc/tokens |
| User Profile Service URL | https://gateway.trusona.net/oidc/userinfo |
| OAuth Scope | openid email |
| Redirect URL | Varies based on your deployment. The typical form is https://your-fr-host-domain/openam/?realm=THE_REALM&service=THE_TREE |
| Social Provider | Trusona |
| Auth ID Key | sub |
| Use Basic Auth | enabled |
| Account Provider | org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider |
| Account Mapper | org.forgerock.openam.authentication.modules.oidc.JwtAttributeMapper |
| Attribute Mapper | Required - Use the default setting. |
| Account Mapper Configuration | It may be necessary to map email to uid if your users username are their email addresses. |
| Attribute Mapper Configuration | Add a mapping for email to mail. Additional mappings based on the claims described in the appendix below may be required. |
| Save Attributes in the Session | enabled |
| Token Issuer | https://gateway.trusona.net |
| OpenID Connect Validation Type | JWK URL |
| OpenID Connect Validation Value | https://gateway.trusona.net/oidc/certs |
2.2.1. OIDC configuration appendix
Based on your integration, a public identifier or a pairwise identifier can be returned as the Subject of the JWT Claims.
2.2.1.1. JWT Claim using a Public Identifier Subject
{
"sub": "email@your-domain.com",
"email": "email@your-domain.com",
"aud": "client_id",
"iss": "https://gateway.trusona.net",
"exp": 1576132000,
"nbf": 1576096000,
"iat": 1576096000,
"nonce": "42z6KubYSjN8KZAD6YREezB5zEc8qURbY"
}
2.2.1.2. JWT Claim using a Pairwise Identifier Subject
{
"sub": "27bfdfe1918a3a079dfa11e7a459a40e2f024bd5ed1fedcbbbce0b1f9a27f2ff",
"email": "email@your-domain.com",
"aud": "client_id",
"iss": "https://gateway.trusona.net",
"exp": 1576132000,
"nbf": 1576096000,
"iat": 1576096000,
"nonce": "NlR4iVNWsBPYl4QzQzQm4dmgjz3Gaiia"
}
2.3. Step 3: Test the integration
- Open a new private browsing window
- Navigate to the realm and tree where you have configured the OIDC node
- Login with Trusona
3. Vanity URL setup
Add a new CNAME DNS record for your domain.
- Set the “host” value to the URL you’d like users to see when logging in
- Set the “Answer” value to ssl.trusona.net
- Set the TTL to 300
Here’s an example of a CNAME answer when retrieved by dig tada.trusona.com.
tada.trusona.com. 3600 IN CNAME ssl.trusona.net.
