Auto-Provisioning Authentication Trees in AM


Using AM to auto-provision an authentication tree.

You can use ForgeRock® Access Management (AM) to design an onboarding flow with authentication trees, and use authentication trees to display the customer journey. In this article, we show you how to prepare the data in a node, and create an authentication flow to validate data and creates a user.

User provisioning is achieved with the Provision Dynamic Account Node to provision the account. For information, see ForgeRock Access Management 6.5 > Authentication and Single Sign-On Guide > Provision Dynamic Account Node. This node should be used with a social node, which prepares the data to be created. This article, however, does not use a social node. The authentication flow is illustrated below:

The set SharedState is a Groovy script which prepares the information that will be used by the provisioning node.

In order to run the script, set the Java class whitelist in Global Services > Scripting > Secondary Configurations > AUTHENTICATION TREE DECISION NODE> Secondary Configurations > EngineConfiguration with org.forgerock.json.JsonValue and java.util.* Ex.:


 - Data made available by nodes that have already executed are available in the sharedState variable.

 - The script should set outcome to either "true" or "false".


import org.forgerock.json.JsonValue;

import java.util.HashMap;

import java.util.Map;

import java.util.ArrayList;

import static org.forgerock.json.JsonValue.json;

import static org.forgerock.json.JsonValue.field;

import static org.forgerock.json.JsonValue.object;

outcome = "false";

//Username has to be set in the shared state as long as the password

String username = sharedState.get("username");

if ((username == null) || (username == ""))


HashMap<String, ArrayList<String>> userNamesparameters = new HashMap<>();

userNamesparameters.put("username", addAttribute(username));

//Attribute defintion

HashMap<String, ArrayList<String>> attrparameters = new HashMap<>();

attrparameters.put("mail", addAttribute(""));

attrparameters.put("cn", addAttribute("leonard.moustacchis"));

attrparameters.put("sn", addAttribute("moustacchis"));

attrparameters.put("givenName", addAttribute("leonard"));

//uid is not mandatory and will be generated automatically if not set

attrparameters.put("uid", addAttribute(username));


                           field("attributes", attrparameters),

                           field("userNames", userNamesparameters)


outcome = "true";

public ArrayList<String> addAttribute (String value) {

   ArrayList<String> attrlist=new ArrayList<String>();//Creating arraylist    


     return attrlist;


The data is set in shared state, and the user is ready to be created in the provisioning node.

Helpful Links