Forgerock CIAM | Integrating External Identity provider

Mano Rangasamy's profile

Mano Rangasamy posted 02-23-2022 08:03

Hi Everyone ,

I have a question.

  1. How to configure External IDP (OKTA, CyberArk etc) as an Authorization server for ForgeRock . How do we route user authentication to different idp based on user domain ?

Thanks in Advance

Lori Goldman posted 02-25-2022 08:08

Hi, Mano. The use case we currently have uses Identity Cloud as the auth server:

If I’m understanding your question correctly, you’d like use Okta as an external IDP. I will reach out to the team and see if I can get an answer for you.

Brad Tarisznyas's profile

Brad Tarisznyas posted 03-07-2022 04:49

HI Mano,

You should be able to use the AM Social Authentication for this if the IDP supports OAuth 2.0 or OIDC (ForgeRock Access Management 7.1.2 > Authentication and Single Sign-On Guide > Social Authentication). If you have further requirements to route the user, you could embed that logic into your authentication tree - so maybe prompt the user for email address, then use a scripted decision node to route to the appropriate social provider based on those you have configured.

In your scripted decision node, you could have something like:

var username = sharedState.get("username");
var domain = username.substring(username.lastIndexOf("@") +1);
  nodeState.putShared("selectedIdp", "Google");
  outcome = "Google";
  nodeState.putShared("selectedIdp", "Facebook");
  outcome = "Facebook";

Hope that helps.

Jatinder Singh
posted 03-25-2022 10:45

Adding to @Brad Tarisznyas suggestion - I would suggest to look into Federation whether it’s via SAML2 or OAuth2 + OIDC​. Most of the external IDP vendors including ForgeRock AM and Okta support this out of the box. Hope this helps!