AM Post SAML Auth Journey


I have all the forgerock am configurations working for IdP initiated signon, but need the capability to send users down a journey post authentication via SAMl for MFA / account checking. In the entity provider configuration, is there a way to include a journey? Or, for a specific entity / remote provider, can I add / enforce a journey redirect post account matching? Appreciate any help on this one.


Good morning Nick.
The completed process of “Authentication” is one that asserts the identity of the authenticating party.
As I read the request, I’m left with the question, do you trust the authentication process or not.

I propose that the targeted Authentication tree need accomplish all that you are requesting above. (A re-engineering effort).
Unless of course, this is to satisfy a “Step Up” authentication need. The simplest approach is to invoke these operations through the policy engine.



Thanks for the follow up. In terms of the above, I trust the authentication process but we have some additional checking around account status, profiling, etc. that we have embedded in journeys so need those executed post authentication.

Your comment regarding the policy services, are you referring to doing an authorization check / validation and sending that down a journey?


But this is precisely my point, Nick. That from an AM Auth-N perspective, this is part of the Auth-N process or the Step-Up process.
If these properties are expected to be part of the Auth-N session or the “Authenticated session”, then they are to be sorted at Auth-N time.
Conversely, the “Step Up” session.

If the properties have no place in the Auth-N session or “Authenticated Session” ( or the Authorization process, via the policy engine) then this work need be completed from an external service.

Correct, Authorization is a process following Authentication. And AM provides an Authorization process, handled by the Policy Engine. (Incidentally, many wrongly merge these two conversations).

“Journey”, is a generic term without context. Note I separate this into “Auth-N process” or “Step Up process”.


Yes, so I am going through the normal auth-n process, but do need to run a step-up authenitcation on login to do some additional progressive profiling, device profiling, etc. So, post auth-n in AM (via IdP initiated saml), how do I do the step-up for additional profiling? Would I need to set an auth level to 0 / value so can catch it in a journey?


Hi @nick.hunt
For now - but it’s coming soon - you can’t define a specific journey for a SP excepting using the standard parameter AuthContext. In this situation it’s up to the SP to specify the AuthContext and the platform will then redirect the user to the associated journey. The association AuthContext <-> Journey is configured in the IDP.
Alternatively, if you want the platform to enforce the use of a specific journey for a SP, you’ll have to do that with policies and IDP Adapters. You can read this blog post that explains how to do it 6 Steps to customise your SAML Flow with ForgeRock as Identity Provider | by Stéphane Orluc | Medium
I hope it helps,

1 Like

The ootb solution for step-up is initiated by the authorization framework. The premise being that “step-up” is a requirement for “access”. There are many ways to identify the need for step-up. One common one being the “authentication level”, another the authentication service name.

I reiterate that many incorrectly merge the conversations and needs of authentication and authorization.

We seem to be going back and forth. For further information do see: Session upgrade :: AM 7.5.0